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Why  install  Flash  Player? 

Adobe®  Flash®  Player  isthe  software  that  allows  computers  to  play  multimedia  content  contained  in  SWF 
(pronounced  “swiff”)  files,  which  are  the  main  type  of  file  used  by  Flash  Player.  This  contentcan  be 
created  by  Adobe®  Animate  CC,  Adobe®  Flash®  Builder™,  or  othertools  that  output  the  SWFfileformat. 
SWF  content  can  range  from  simple  animations  to  online  advertisements  to  complete  applications  that 
communicate  over  the  Internet.  Flash  Player  is  available  in  multiple  forms.  In  its  most  popular  form,  it  is 
embedded  in  a  web  browser  as  a  plug-in  or  an  ActiveX  control. 

You  may  have  been  asked  todeploy  Flash  Player  in  your  network  environment  because  someone  in  your 
company  has  built  a  SWF  application  for  business  use,  or  because  there  is  external  SWF  content  that 
employees  want  to  have  access  to. 

To  deploy  Flash  Player,  you  must  first  acquire  a  license  to  do  so.  Distribution  licenses  are  free  of  charge 
and  can  be  acquired  through  the  online  licensing  application  at  www.adobe.com/licensing/distribution. 
Notethatyou  must  use yourcompanyororganization  email  addresswhen  requesting  adistribution 
license.  Public  email  addresses  (suchasgmail. com,  yahoo. com,  hotmail.com,  and  soon)  arenot  allowed. 
For  answers  toquestions  regarding  Flash  Player  licensing  and  deployment,  see  the  Adobe  Player  Distri¬ 
bution  FAQ  at  www.adobe.com/licensing/distribution/faq. 


Additional  resources 

The  following  sites  provide  information  about  some  general  topics  related  to  the  Flash  Platform,  Flash 
Player,  and  design  and  development  tools.  For  information  about  sites  related  specifically  to  issues 
coveredinthisdocument,seethechapterthatcoversthatissue.  Forexample,foran  extensive  listof 
resources  specific  to  the  topic  of  security,  see  Additional  security  resources  in  Security  considerations. 

For  the  latest  version  of  this  guide,  see  the  Adobe  Flash  Player  Administration  Guide  section  of  the  Flash 

PlayerDeveloperCenteratwww.adobe.com/go/flash_player_admin. 

Flash  Player  and  deployment 

The  following  sites  contain  information  and  links  to  help  you  understand  how  to  deploy  Flash  Player  and 
work  with  SWFfiles. 

•  TheFlashPlayerproductpageatwww.adobe.com/products/flashplayer.htmlprovidesinformation 
on  a  number  of  topics  relating  to  installing,  using,  and  deploying  Flash  Player.  It  also  contains  links 
todocuments  that  can  answer  just  about  any  question  you  might  have  about  Flash  Player,  locations 
fordownloading  the  player,  userforums,andsoon.  Much  of  the  information  in  this  document  is 
excerpted  from  documents  available  from  the  Support  Center. 
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•  TheFlashPlayerDeveloperCenteratwww.adobe.com/devnet/flashplayerprovidesextensive 
information  about  Flash  Player,  including  development  and  deployment  of  applications.  The 
content  includes  Tech  Notes,  articles,  and  tutorials. 

•  TheSWFFileFormatSpecificationatwww.adobe.com/go/swfJile_formatdocumentstheSWFfile 
format  and  describes  how  to  write  SWF  files. 

•  The  Flash  Player  Release  notes  at  www.adobe.com/support/documentation/en/flash- 
player/releasenotes.html  contain  information  aboutfeatures,  fixes  and  improvements,  and  known 
issues  for  each  version  of  the  player. 

Design  and  developmenttools 

Adobe  provides  the  following  tools  for  developing  SWF  files  (the  file  format  that  executes  in  Flash 
Player): 

•  Animate  CC  (www.adobe.com/products/animate/) 

In  Animate  CC  (formerly  Flash  Professional),  designers  and  developers  create  FLA  files  that 
contain  graphical  elements,  a  timeline,  and  ActionScript  code.  Both  ActionScript  2.0  and  ActionScript 
3. 0  are  supported.  FLA  files  are  compiled  into  SWF  files. 

•  Adobe®  Flash®  Builder®™  (www.adobe.com/products/flash-builder.html/) 

In  Adobe®  Flash®  Builder™  4  (formerly  Adobe®  Flex®  Builder™),  developers  and  designers  create 
MXML  files  and  FLA  files  using  the  open  source  Flexframework.  They  can  also  use  ActionScript  3. 0. 
Both  MXML  and  ActionScript  compile  into  SWF  files. 

•  Adobe®  Flex®  (www.adobe.com/products/flex/) 

In  Flex,  developers  create  MXML  files  that  describe  the  visual  and  code  elements  oftheirapplica- 
tions.  They  can  also  use  ActionScript  3. 0.  Both  MXML  and  ActionScript  compile  intoSWFfiles. 
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Player  files  and  locations 

Adobe  Flash  Player  is  normally  deployed  as  a  browser  plug-in  or  ActiveX  control.  For  each  player  environ¬ 
ment,  two  versions  of  Flash  Player  are  available— a  “Content  Debugger”  version  for  developers,  and  a 
“Release”  version  for  end  users.  The  Content  Debugger  player  implements  the  same  feature  set  as  the 
Release  player,  butalsodisplaysrun-timeerrors.Eachoftheseimplementationsisdescribedinthis 
section. 

note:  There  is  also  a  stand-alone  player,  but  it’s  usually  installed  by  the  development  tools,  not  deployed 
by  administrators. 

Firefox/Mozilla  NPAPI  plug-in  architecture 

Mozilla-based  browsers  (such  as  Firefox),  andthe  Safari  browseron  the  Macintosh  usethis  plug-in. 

Windows  NPAPI  plug-in  filenames  and  locations 

On  Windows, filesnamed  NPSWF32.dll  (NPSWF64.  dll  for  64-bit  Windows)  and  flashplayer.xptare 
installed. 

note:  For  Flash  Player  1 1 .2  and  later,  the  dll  file  name  also  includes  the  build  number.  For  example, 
NPSWF32_1 1_2_202_228.dll  (32-bit  Windows)  and  NPSWF64J  1_2_202_228.dll  (64-bit  Windows). 

The  installer  places  these  files  in  directories  that  differ  by  OS  version,  as  follows: 

•  32-bit  Wi  ndows  -  %WIN  D I  R%\System32\Macromed\Flash 

-  64-bit  Windows,  32-bit  mode  -%WINDIR%\SysWow64\Macromed\Flash 

-  64-bit  Windows,  64-bit  mode  -%WINDIR%\System32\Macromed\Flash 

NOTE:The%WINDIR%locationrepresentstheWindowssystemdirectory,suchasC:\WINDOWS. 

The  Windows  plug-in  installer  also  placesabrokerapplication  called  FlashUtilnnn_Plugin.exe  in  thesame 
directory  as  the  Flash  Player  Plug-in  DLL.  The  nnn represents  the  version  number  and  changes  with  each 
release.  FlashUtilnnn_Plugin.exe  includes  functionality  required  by  Windows  Vista  and  above,  and  as  an 
upgrade  and  uninstall  mechanism. 

note:  For  Flash  Player  1 1 .2  and  later,  the  broker  file  name  also  includes  the  build  number.  For  example, 
FlashUtil32_11_2_202_228_Plugin.exe  (32-bit  Windows)  and  FlashUtil64_11_2_202_228_Plugin.exe 
(64-bit  Windows). 

Macintosh  NPAPI  plug-in  filenames  and  locations 

OntheMacintosh,filesnamedFlashPlayer.pluginandflashplayer.xptareinstalled.Thesefilesareplaced 
in  the  /Library/Internet  Plug-Ins  folder. 
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Linux  plug-in  filenames  and  locations 

On  Linux,  files  named  libflashplayer.so  and  flashplayer.xpt  are  installed.  The  install  location  is  dependent 
upon  the  browser,  Linux  distro,  and  distro  version. 

Chromium  PPAPi  plug-in  architecture 

Chromium-based  browsers  (such  as  Opera)  on  Windows  and  Macintosh  use  this  plug-in. 

Windows  PPAPI  plug-in  filenames  and  locations 

On  Windows,  files  named  pepflashplayer32.dll  (pepflashplayer64.dll  for  64-bit  Windows)  and  mani- 
fest.json  are  installed. 

note:  Thedll  file  name  also  includes  the  build  number.  For  exam  pie,  pepflashplayer32_22_0_0_1 57.dll 
(32-bit  Windows)  and  pepflashplayer64_22_0_0_1 57.dll  (64-bit  Windows). 

The  installer  places  these  files  in  directories  that  differ  by  OS  version,  as  follows: 

•  32-bit  Wi  ndows  -  %WIN  D I  R%\System32\Macromed\Flash 

-  64-bit  Windows,  32-bit  mode  -%WINDIR%\SysWow64\Macromed\Flash 

•  64-bit  Windows,  64-bit  mode  -%WINDIR%\System32\Macromed\Flash 

note:  The%WIND  IR%  location  represents  the  Windows  system  directory,  such  asCAWINDOWS.  The 
Windows  PPAPI  plug-in  installer  also  places  a  broker  application  called  FlashUtilnnn_pepper.exe  in  the 
samedirectory  asthe  Flash  PlayerPPAPI  Plug-in  DLL.Thennn  represents  the  version  number  and 
changes  with  each  release.  FlashUtilnnn_pepper.exe  includes  functionality  required  by  Windows  Vista 
and  above,  and  as  an  upgrade  and  uninstall  mechanism. 

Macintosh  PPAPI  plug-in  filenames  and  locations 

On  the  Macintosh,  files  named  PepperFlashPlayer. plugin  and  manifest.json  are  installed.  These  files  are 
placed  in  the /Library/Internet  Plug-lns/PepperFlashPlayer  folder. 

Linux  PPAPI  plug-in  filenames  and  locations 

On  Linux,  files  named  libpepflashplayer.so  and  manifest.json  are  installed.  The  install  location  isdepen- 
dent  upon  the  browser,  Linux  distro,  and  distro  version. 

ActiveX  Control  on  Windows 

The  ActiveX  control  is  used  by  Microsoft  Internet  Explorer  as  well  as  certain  other  applications,  such  as 
Microsoft  Powerpoint  and  Yahoo  Messenger.  The  player  is  an  OCX  file  whose  name  reflects  the  version 
number. 

note:  For  Flash  Player  1 1 .2  and  later,  the  .ocx  file  name  also  includes  the  build  number.  For  example, 
Flash32_1 1  _2_202_228.ocx  (32-bit)  and  Flash64_1 1_2_202_228.ocx  (64-bit  Windows). 

The  installer  places  these  OCX  files  in  directories  that  differ  by  OS  version,  as  follows: 

•  32-bit  Wi  ndows  -  %WIN  D I  R%\System32\Macromed\Flash 
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•  64-bit  Windows,  32-bit  mode  -%WINDIR%\SysWow64\Macromed\Fiash 

•  64-bit  Windows,  64-bit  mode  -%WINDIR%\System32\Macromed\Flash 

NOTE:The%WINDIR%locationrepresentstheWindowssystemdirectory,suchasC:\WINDOWS. 
note:  The  Flash  Player  ActiveX  control  on  Windows  8. 1  and  above  is  a  component  of  Internet  Explorer 
and  Edge  and  is  updated  via  Windows  updates.  Using  Flash  Player  ActiveXinstaller,  you  can'tinstall  Flash 
Player  ActiveX  control  on  Windows  8.1  and  above  systems.  Also,  the  Flash  Player  uninstaller  doesn't 
uninstall  the  ActiveX  control  on  Windows  8.1  and  above  systems. 

note:  Windows  8.0  is  no  longer  a  supported  system.  Users  are  strongly  encouraged  to  upgrade  to 
Windows  8.1  or  Windows  10  to  continue  to  receive  Flash  Player  updates. 

Additional  files 

When  Flash  Player  is  installed  on  Windows,  certain  utility  files  are  installed  that  perform  special  functions 
for  Flash  Player,  including  auto-update  notification  and  brokering  certain  processes  on  Windows  Vista 
and  above. 

FlashUtil.exe 

A  utility  file  named  FlashUtilnnn_ActiveX.exe  is  installed  with  Flash  Player.  The  utility  is  versioned  with 
the  control ;  for  example,  FlashUtil10h_ActiveX.exe  is  installed  with  the  control  Flashl  Oh. ocx. 

note:  For  Flash  Player  1 1 .2  and  later,  the  FlashUtil  file  name  includes  the  entire  build  number.  For 
example,  FlashUtil32_11_2_202_228_ActiveX.exe  (for  32-bit)  and  FlashUtil64_1 1_2_202_228_Ac- 
tiveX.exe  (for 64-bit). 

The  FlashUtilnnn.exe  file  is  associated  with  the  notification  auto-update  functionality,  uninstallation,  and 
brokering  the  interaction  between  the  ActiveX  control  and  Internet  Explorer  (brokering  only  occurs  on 
Windows  Vista  and  above).  There  is  also  a  file  named  FlashUtilnnn_ActiveX.dll. 

When  the  browser  plug-in  is  installed,  a  similar  application  named  FlashUtilnnn_Plugin.exe  or  FlashUtil  - 
nnn_Pepper.exe  is  installed. 


Data  formats  used 

Several  file  types  are  created  or  read  by  Flash  Player.  These  file  types  are  summarized  in  thefollowing  list. 

•  SWF:  The  SWF  file  format  is  an  efficient  delivery  format  that  contains  vector  graphics,  text,  video, 
and  sound.  Flash  Player  executes  SWFfiles.  SWFfiles  can  be  loaded  into  Flash  Playerdynamically 
by  instructions  in  other  SWF  files. 

•  CFG:  These  are  configuration  files  that  network  administrators  and  developers  can  deploy  along 
with  Flash  Playertocustomize  Flash  Playersettingsandaddresscertain  security  issuesforall  users. 
For  more  information,  see  Administration.  End  users  can  also  create  CFG  files  to  address  certain 
security  issues  for  that  specific  user;  see  TheUserFlashPlayerTrust  directory. 

•  SWC  (pronounced  “swik”):TheseareSWFfilesthatdevelopersdeliverascomponentsforusewhen 
working  in  the  Flash  authoring  environment. 
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-  SO:  Shared  objectfilesare  used  by  Flash  Playertostoredata  locally.  For  example,  adeveloper  may 
create  a  game  application  that  stores  information  on  high  scores.  This  data  may  be  stored  either 
forthe  duration  of  a  Flash  Player  session,  or  persistently  across  sessions.  In  addition,  Flash  Player 
creates  a  persistent  shared  object  that  stores  player  settings,  such  as  the  amount  of  disk  space  a 
website  can  use,  if  any,  when  creating  shared  objects.  Shared  object  files  are  stored  in  the 
following  locations: 

Windows  Vista  and  above 

C:\Users\username\AppData\Roaming\Macromedia\Flash  Player\#SharedObjects\randomDirec- 
toryName 

Windows  2000  and  Windows  XP 

C:\Documents  and  Settings\username\Application  Data\Macromedia\Flash  Player\#SharedOb- 
jects\randomDirectoryName 

Macintosh 

/Users/username/Library/Preferences/Macromedia/Flash  Player/#SharedObjects/randomDirec- 
toryName 

Linux 

GNU-Linux  ~/.macromedia#SharedObjects/randomDirectoryName 

Shared  objects  are  stored  in  a  directory  with  a  randomly  generated  name  for  security  purposes. 
Flash  Player  remembers  how  to  directa  SWF  file  to  the  appropriate  location,  but  users  of  other  ap- 
piications  outside  Flash  Player,  suchasa  webbrowser,  cannotusethoseapplications  toaccessthe 
data.  This  limitation  ensures  that  the  data  is  used  only  for  its  intended  purpose. 

•  MP3  -  The  compressed  audio  file  format. 

•  JPG,  PNG,  and  GIF- Image  file  formats.  The  TIF  and  BMP  formats  are  not  directly  supported  for  use 
in  SWF  files. 

-  FLV  -  Flash  Player  compressed  video  format. 

-  FXG-  Flash XMLgraphicsformat.  An XML-based graphicsinterchangeformatforthe  Flash  Platform. 

-  XM  L  (extensible  Markup  Language)  -  Used  for  sending  and  receiving  larger  amounts  of  data  with 
structured  text. 

-  MXML  -  The  XML-based  language  that  developers  use  to  lay  out  components  in  Flex  applications. 
note:  If  you  block  access  to  any  of  these  file  types,  certain  functionality  of  Flash  Player  may  be  disabled. 

Network  protocols  used 

Flash  Player  can  use  the  following  network  protocols: 

•  HTTP 

•  HTTPS 
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•  RTMP  (Real  Time  Messaging  Protocol)  -  a  proprietary  protocol  used  with  Flash  Media  Server  to 
stream  audio  and  video  over  the  web.  The  default  connection  port  is  1 935. 

•  RTMPT  -  RTMP  tunneling  via  HTTP.  The  default  connection  port  is  80. 

•  RTMPS-  RTMP  tunneling  via  HTTPS.  The  default  connection  port  is  443. 

•  SOAP  -  Simple  Object  Access  Protocol 

•  UNO  -  Universal  Naming  Convention 

•  TCP/IP  -  Transmission  Control  Protocoi/lnternet  Protocol 

•  FTP  -  File  T ransfer  Protocol 

•  SMB -Server  Message  Block.  SMB  is  a  message  format  used  by  DOS  and  Windows  to  share  files, 
directories,  and  devices.  Flash  Player  can  load  animations  and  SWFfilesfrom  remote  SMB  shares. 
Flash  has  restrictions  on  what  Flash  SWF  files  loaded  from  SMB  shares  are  allowed  to  do. 

•  SSL  -  Secure  Sockets  Layer 

•  AMF  -  ActionScript  Message  Format 


Player  processes 

Most  often,  Flash  Player  runsasabrowserplug-in.  When  run  asastand-alone  player,  itlaunchesa 
process  named  FlashPlayer.exe.  Theoneexception  tothisstatement  iswhencontentis  played  backusing 
Internet  Explorer  on  Windows  Vistaor  above.  In  this  case  FlashUtilnnn_ActiveX.exe  will  be  in  the  process 
list. 

Flash  and  Flex  developers  can  package  their  SWF  files  into  stand-alone  EXE  files,  called  projectors.  When 
a  projector  is  run,  it  launches  a  single  process,  named  for  the  projector  executable  filename. 

Other  processes  are  created  when  Flash  Player  auto  update  occurs.  GetFlash.exe,  FlashUtilnnn_Ac- 
tiveX.exe,  FlashUtilnnn_Plugin.exe,  FlashUtilnnn_Pepper.exe,  or  FlashPlayerUpdateService.exe  will  be 
running  during  an  auto  update  requestandsubsequentdownloading  and  installing  ofthe  updated 
player.  FlashUtilnnn_ActiveX.exe,  FlashUtilnnn_Plugin.exe, ,  or  FlashUtilnnn_Pepper.exe  processes  will 
be  visible  when  the  Flash  Player  is  uninstalled  on  Windows  via  Add/Remove  Programs. 


Player  versions 

Before  deploying  the  player,  you  might  want  to  know  what  version  is  already  installed  on  an  end  user’s 
machine.  An  easy  way  to  determine  the  version  of  Flash  Player  installed  is  to  navigate  to 
www.adobe.com/products/flash/about ;  this  page  displays  a  message  stating  which  version  is  installed. 
Or,  while  a  SWF  file  is  playing,  right-click  (Windows  or  Linux)  or  Command-click  (Macintosh)  on  the  SWF 
content  and  then  choose  “About  Flash  Player”  from  the  context  menu . 

AMaster  Version  XMLfilethatlists  all  Flash  Playerversionsforthe  various  supported  platformsand 
browsers  is  available  at  https://fpdownload.macromedia.com/pub/flashplayer/masterversion/master- 

version.xml.  Customers  who  use  automation  scripts  to  check  for  updates  can  use  this  file  in  their  auto¬ 
mation  scripts. 
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On  the  Macintosh,  you  can  navigate  to  the  Flash  Player.plugin  file  located  in  the /Library/Internet 
Plug-lnsfolder,  or  PepperFlashPlayer. plugin  in  the/Library/Internet  Plug-lns/PepperFlashPlayerfolder, 
then  Command-clickandchooseGet  Info.  The  version  numberisavailableontheGeneral  menu. 

On  Windows,  you  can  determine  which  version  of  the  ActiveX  control  is  installed  by  navigating  to  the 
directory  wheretheOCXfile  islocated  (see  ActiveX  Control  on  Windowsior\.hedeiau\t\oca\.\on) . 
Right-click  on  the  OCX  file  and  choose  Properties,  then  inspect  the  value  in  the  Version  tab.  If  the  OCX 
file  isn’t  installed  in  the  default  location,  you  can  determine  its  location  and  name  by  inspecting  the 
following  registry  key,  which  is  created  when  the  OCX  control  is  registered: 

HKEY_CLASSES_ROOT\CLS ID\ { D27CDB6E-AE6D-1 1 cf- 96B8 -4  4  4553540000}\ InprocSer 
ver32 

Similarly,  you  can  determine  the  NPAPI  or  PPAPI  Plug-in  version  by  examining  the  version  tab  of  the 
NPSWF32.dll  or  pepflashplayer32.dll  file,  which  is  located  in  the  same  folder  as  the  ActiveX  control. 

For  information  on  howto  incorporate  playerversion  detection  into  web  sites,  seethe“Detection  and 
Installation”  section  at  the  Flash  Player  Developer  Center  (www.adobe.com/devnet/flashplayer/detec- 
tionJnstallation.htm  ). 

Ifyouwantto  learn  which  versionof  Flash  Playerisinstalledonanenduser’smachinewithoutgoing  to 
each  machine  individually,  you  or  a  developer  at  your  site  can  create  and  distribute  a  SWF  file  that  imple¬ 
ments  the  System,  capabilities  .version  API  and  reports  the  results  to  adatabase  using  a 
command  such  as  http  get  or  post.  This  technique  is  useful  for  activities  such  as  collecting  statistics 
on  how  many  users  have  which  version  of  Flash  Player. 
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Installers 

When  you  license  Flash  Player  you  will  receive  an  email  containing  the  license  agreement  and  a  link  to 
the  Adobe  Flash  Player  Distribution  Page  todownload  the  installers  from.  Save  this  email  and  use  the  link 
whenever  you  need  to  download  the  installation  files. 

The  licensed  installers  for  Flash  Player  are  available  in  a  number  of  forms.  For  Windows  Internet  Explorer 
(ActiveX  control)  and  Firefox/Mozilla  NPAPI  or  Chromium  PPAPI  plug-ins,  you  can  download  an  execut¬ 
able  installer  (EXE  file)  or  an  MSI  installer. 

note:  Flash  Player  ActiveX  Control  installers  are  only  for  Windows  7  and  below.  As  of  Windows  8,  Micro¬ 
soft  embeds  Flash  Player  in  Internet  Explorer,  and  Edge  browser  in  Windows  10.  All  updates  to  the 
embedded  Flash  Player  ActiveX  for  Internet  Explorer/Edge  are  distributed  by  Microsoft  via  Windows 
Updates. 

If  you  are  using  the  Microsoft  System  Center  Updates  Publisher  4.5,  you  can  import  the  Adobe  Flash 
Player  Catalog  fordeployment  via  WSUS  3. 0SP2.  The  Adobe  Flash  Player  Catalog  for  System  Center 
Updates  Publishersupports the  delivery  oftheActiveXcontrol,  the  NPAPI  and  PPAPI  plug-ins. 

If  you  are  using  Microsoft  Systems  Management  Server  (SMS)  2003  R2,  you  can  also  import  the  Adobe 
Flash  Player  Catalog  with  the  Inventory  Tool  for  Custom  Updates.  The  Adobe  Flash  Player  Catalog  only 
supports  the  delivery  of  the  ActiveX  control. 

For  Macintosh  OS  X,  you  use  a  PKG  installer  for  the  NPAPI  or  PPAPI  plug-in. 

ForopenSUSEandRedFlat,youuseanRPMinstallerorYUMpackagemanager.ForUbuntu,youusethe 
Ubuntu  Software  Updater  or  APT  delivery. 

Adobe  strongly  recommends  that  you  implement  network  installation  strategies  in  a  testing  environ- 
mentpriorto  implementation  in  alive  environment.  Adobe  support cannotprovidetroubleshooting 
assistance  for  customized  installations. 

On  Windows  and  Mac  platforms,  Adobe  Flash  Player  enables  system  administrators  to  push  updates  to 
the  client  systems  they  manage.  The  update  mechanism  supports  background  updates  that  requires  no 
action  by  the  user  to  perform  the  update.  For  more  information,  see  Performing  a  background  update. 

On  Windows  8.x  and  above  systems,  Flash  Player  for  Internet  Explorer  and  Edge  is  updated  by  Microsoft 
through  Software  Updates  for  Internet  Explorer  and  Edge.  Adobe’s  installer  or  uninstaller  will  not  install 
or  uninstall  Flash  Player  for  Internet  Explorer  and  Edge  on  Windows  8.x  and  above  systems. 
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Uninstalling  Flash  Player 

To  minimize  the  potential  for  installation  issues,  you  might  want  to  consider  uninstalling  any  existing 
Flash  Players  and  rebooting  your  system  before  installing  the  new  Flash  Player. 
note:  Beginning  with  Flash  Player  1 1 .5,  uninstalling  the  Flash  Player  resets  the  AutoUpdateDisable  and 
SilentAutoUpdateEnablesettingsinmms.cfgtotheirdefaultvalues,whichareAutollpdateDisable=Oand 
SilentAutollpdateEnable=0  (Notification  Updatesenabled,  Background  Updates  disabled). 

note:  If  you  are  running  the  Flash  Player  uninstaller  as  part  of  your  deployment  process  and  configure 
update  settings  via  the  mms.cfg  file,  you  have  to  re-deploy  the  mms.cfg  file  with  any  custom  changes 
that  you  have  made  toeither  AutoUpdateDisable  and/or  SilentAutollpdateEnable. 

Uninstalling  on  Windows 

Before  uninstalling  Flash  Player,  be  certain  to  quit  all  running  applications,  including  all  Internet  Explorer 
orotherbrowserwindows,AOLInstantMessenger,  Yahoo  Messenger,  MSN  Messengerorother 
Messengers.  Checkthe  Windows  system  tray  carefully  to  make  certain  noapplicationsthat  might 
possibly  use  Flash  Player  are  still  in  memory. 

Use  the  uninstalleravailable  atwww.adobe.com/go/tn_1 41 57  to  uninstall  any  version  ofthe  player. 

Silent  mode 

Beginning  with  the  Adobe  Creative  Suite  5  and  web  releases  ofthe  Flash  Player  (1 0.1 .  r52  and  1 0.1  .r53), 
the  /silent  method  of  uninstalling  the  player  is  deprecated  in  favor  of  “-uninstall”. 

To  uninstall  in  silent  mode  for  Flash  Player  10.1  (and  higher),  the  silent  mode  is  “-uninstall”. 

uninstall_f lash_player . exe  -uninstall 

To  uninstall  only  one  particular  Flash  Player  type  include  the  player  type  (active-x  plugin,  or  pepper- 
plugin)  as  an  argument  when  uninstalling  silently,  as  follows: 

•  ActiveXControhuninstall_flash_player.exe  -uninstall  activex 

Windows  7  and  prior.  Microsofts  embeds  Flash  Player  for  lE/Edge  on  Windows  8  and  above 
and  Adobe's  Flash  Player  uninstaller  will  NOT  remove  the  embedded  Flash  Player  ActiveX 
Control. 

•  NPAPI  Plugin:  uninstall_flash_player.exe  -uninstall  plugin 

•  PPAPI  Plugin:  uninstall_flash_player.exe  -uninstall  pepperplugin 

For  more  information,  see  http://kb2.adobe.com/cps/402/kb402435.html. 

Note  that  if  you  use  the  Flash  Player  1 0. 1  (and  higher)  uninstaller  to  uninstall  an  instance  of  Flash  Player 
9,  then  uninstalling  in  silent  mode  would  still  be  done  with  “-uninstall.”  In  other  words,  it  is  the  version 
oftheuninstallerratherthantheversionoftheplayerbeinguninstalledthatdictateswhethertouse 
“-uninstall”  or  “/silent”. 
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Uninstalling  on  Linux 

To  uninstall  Flash  Player  on  Linux,  log  in  as  root  and  use  one  of  the  following  commands,  depending  on 
the  method  used  to  install  the  plug-in  originally  (via  rpm,  yum,  or  APT): 

NPAPI  Plugin: 

rpm  -e  flash-plugin 

PPAPI  Plugin: 

rpm  -e  f lash-player-ppapi 

NPAPI  Plugin: 

yum  remove  flash-plugin 

PPAPI  Plugin: 

yum  remove  f lash-player-ppapi 

NPAPI  and  PPAPI  Plugin: 

apt-get  remove  adobe- flashplugin 

RPM  and  YUM  are  for  Red  Hat  and  openSUSE.  You  can  use  YUM  for  Red  Hat. 

Uninstalling  on  Macintosh 

To  uninstall  Flash  Player  on  the  Macintosh,  make  sure  all  browsers  are  closed,  along  with  any  programs 
that  might  be  running  SWF  content,  such  as  the  Dashboard.  Then  use  the  Mac’s  standalone  uninstaller 
to  completely  uninstall  the  Flash  Player.  You  can  download  the  appropriate  uninstaller  at 

www.adobe.com/go/tn_1 41 57. 

As  of  1 1 .6,  silent  uninstall  is  available  on  the  Mac,  using  the  standalone  uninstaller,  as  follows: 

1 )  Extract  the  Adobe  Flash  Player  uninstaller  bundle  (Adobe  Flash  Player  Uninstaller. app)  from  the 
.DMG  file. 

2)  Openaterminalwindowandchangetothedirectorywherethe.appfileissaved.Forexample,if 
the  .app  file  is  saved  on  the  Desktop  of  the  current  user,  type:  cd  -/Desktop. 

3)  Run  the  uninstaller  contained  in  the  .app  file  using  the  following  command: 

sudo  /Adobe  Flash  Player . app/Contents/MacOS/Adobe  Flash  Player  Install 
Manager  -uninstall . 

4)  Type  the  root  password  to  proceed  with  the  uninstallation. 

note:  Uninstalling  Flash  Playeron  Mac  will  uninstall  all  Playertypes  installed  (such  asNPAPI  and  PPAPI). 
At  this  time  it  is  not  possible  to  uninstall  one  or  the  other  on  Mac. 

Manually  Uninstalling  Flash  Player  on  Macintosh 

1)  Resetthe  Update  Notification  option  and  unload  the  SAL/daemon: 
a)  Set  the  Update  Notification  options  to  default  values  in  mms .  cf  g: 

AutoUpdateDisable=0 

SilentAutoUpdateEnable=0 
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b)  Run  launchctl  unload  to  unload  the  SAU  daemon.  At  the  prompt  type: 

sudo  /bin/launchctl  unload 

/Library/LaunchDaemons/com. adobe . fpsaud.plist 

2)  Deletethefollowingfiles,iffound: 

a)  SYSTEM  NPAPI  PLUGIN: 

/Library/Internet  Plug-Ins/Flash  Player . plugin 
/Library/Internet  Plug-Ins/Flash  Player  Enabler . plugin 
/Library/Internet  Plug-Ins/f lashplayer . xpt 

b)  SYSTEM  PPAPI  PLUGIN 

/Library/ Internet 

Plug- I ns /Pepper FI ash Player/ Pepper FI ash Player . plugin 
/Library/ Internet  Plug- Ins /Pepper FI ash Player /mani f est . j son 

c)  SAU: 

/Library/LaunchDaemons/ com. adobe . fpsaud.plist 
/Library/Application  Support/Adobe/Flash  Player  Install 
Manager/ fpsaud 

/Library/Application  Support/Adobe/Flash  Player  Install 
Manager/FPSAUConfig. xml 

3)  Delete  install  receipts: 

Delete  any  bundles  that  have  the  com .  adobe .  pkg .  FiashPiayer  bundle  identifier 

in/Library/Receipts .  (The  CFBundieidentifier  entry  in  the  info.plist  inside 
the  bundle) . 

If  pkgutii  is  present,  run  the  following  command: 

sudo  pkgutii  --force  --forget  com . adobe . pkg . FiashPiayer . 

4)  Remove  the  Flash  Player  PreferencePane: 

-  Delete  /Library/PreferencePanes/Flash  Player  .  pref  Pane. 

-  Remove  the  com .  adobe  .  preferences  .  f  lashplayer  entry  from  inside 
~ /Library/ Preferences /com . apple . systempref erences . pi ist . 

5)  Remove  the  Install  Manager  app: 

If  the  file  exists  at /Applications/Utilities/Adobe  Flash  Player  Install 
Manager .  app,  remove  it. 

EXE  installation 

The  EXE  installer  can  be  run  in  either  of  two  modes,  interactive  or  silent.  The  interactive  mode  presents 
afull  user  interface  and  displays  error  dialogs  if  necessary.  The  silent  mode  does  not  present  a  user  inter¬ 
face,  and  returns  error  codes  if  necessary. 

Warnings  and  errors  are  written  to  the  Flashlnstall  log  file  located  at  the  following  locations: 

•  32-bit  OS:C:\\Windows\System32\Macromed\FIash\Flashlnstall32.log 
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•  64-bit  OS:  C:\\Windows\System32\Macromed\Flash\Flashlnstall64.log  and 
C:\\Windows\SysWow64\Marcomed\Flash\Flashlnstall32.log 

To  run  the  EXE  in  silent  mode,  use  the  "-install"  command  line  parameter: 

path  to  installer\ install  flash  player  active  x.exe  -install 


ThefollowingexitcodesareretumedbytheWindowsEXEinstallersforFlash  Playerl  0.1  andabove: 


Error  code 

Meaning 

0 

No  errors  detected 

1003 

Invalid  argument  passed  to  installer 

1011 

Install  already  in  progress 

1012 

Does  not  have  admin  permissions  (W2K,  XP) 

1013 

Trying  to  install  older  revision 

1022 

Does  not  have  admin  permissions  (Vista,  Windows  7) 

1024 

Unable  to  write  files  to  directory 

1025 

Existing  player  in  use 

1032 

ActiveX  registration  failed 

1041 

An  application  that  usesthe  Flash  Playerisopen.Quitthe  application  andtry  again. 
The  following  exit  codes  are  returned  by  the  Windows  EXE  installers  for  Flash  Player  9: 

The  following  exit  codes  are  returned  by  the  Windows  EXE  installers  for  Flash  Player  9. 


Exit  code 

Meaning 

3 

Does  not  have  admin  permissions 

4 

Unsupported  OS 

5 

Previously  installed  with  elevated  permissions 

6 

Insufficient  disk  space 

7 

Trying  to  install  older  revision 

8 

Browser  is  open 

Active  Directory  installation 

To  deploy  the  Flash  Player  MSI  through  the  Active  Directory,  you  use  group  policies.  Also,  the  MSI  for 
Flash  Player  must  exist  within  a  networkshare  on  which  everyone  has  read  permissions. 
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Flash  Player  can  be  deployed  to  either  computers  or  users. 

•  You  can  publish  Flash  Player  to  users. 

Publishing  is  a  group  policy  action.  Therefore,  when  you  publish  Flash  Player  it  doesn ’t  install  the 
MSI,butitdoesmakeitavailabletousersthenexttimetheylogin.Thisimplementationgivesthe 
userthe  choice  to  install  Flash  Playerthrough  the  Add/Remove  Programs  option  in  the  Control  Pan¬ 
el. 

-  You  can  assign  Flash  Player  to  users. 

Assigning  Flash  Player  to  users  is  like  publishing  in  tha  t  it  is  also  a  group  policy  action;  the  assign  - 
ment  does  not  take  effect  until  the  next  time  thatthe  user  logs  in.  However,  unlikepublishing,  when 
the  user  logs  in,  Flash  Player  will  be  installed  and  an  icon  added  to  the  desktop. 

•  You  can  assign  Flash  Player  to  computers. 

Assigning  Flash  Player  to  a  computer  works  similarly  to  assigning  it  to  a  user,  with  two  major  differ¬ 
ences.  First,  theassignmentis  linked  to  the  computerandnotto  the  user;  it  takes  effect  the  next 
time  thatthe  computer  is  restarted.  The  second  difference  is  thatthe  deployment  process  actually 
installs  Flash  Player. 

To  perform  the  deployment,  open  the  Group  Policy  Editor. 

Publish  or  assign  an  application  to  a  user: 

1 )  Navigate  through  the  group  policy  console. 

2)  Select  User  Configuration  >  Software  Settings  >  Software  Installation. 

3)  Right-click  on  the  Software  Installation  container 

4)  Select  the  New  >  Package  commands  from  the  context  menu. 

5)  Select  the  Flash  Player  MSI  and  select  Open. 

6)  Choose  if  you  want  to  publish  or  assign  Flash  Player. 

7)  Select  OK. 

Assign  Flash  Player  to  a  computer 

1 )  Navigate  through  the  group  policy  console. 

2)  Select  Computer  Configuration  >  Software  Settings  >  Software  Installation. 

3)  Right-click  on  the  Software  Installation  container. 

4)  Select  the  New  >  Package  commands  from  the  context  menu. 

5)  Select  the  Flash  Player  MSI  and  select  Open. 

6)  Choose  to  assign  Flash  Player. 

7)  Select  OK. 

You  can  see  that  the  instructions  to  assign  Flash  Player  to  a  user  or  to  a  computer  are  similar.  The  main 
difference  is  selecting  the  user  or  computer  configuration  in  step  two. 
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Flash  Player  Catalog  for  Microsoft  System  Center  Updates  Publisher 

If  you  are  using  Microsoft  System  Center  Updates  Publisher  (SCUP)  4.5,  you  can  import  the  Adobe  Flash 
Player  Catalog  to  deploy  the  Flash  Player  ActiveX  control  and  Plug-in  via  WSUS  3.0  SP2.  Perform  the 
following  steps: 

1 )  Start  the  Microsoft  System  Center  Updates  Publisher  4.5. 

2)  Right-click  System  Center  Updates  Publisher  and  select  Settings. 

3)  Click  Add. 

4)  In  Add  Catalog,  providelocationoftheCABfileandcompletetheotherfieldsasoutlinedinthe 
remainder  of  this  procedure: 

http://fpdownload.adobe.com/get/flashplayer/distribution/win/AdobeFlashPlayerCata- 

log_SCUP.cab 

5)  Right  click  System  Center  Updates  Publisher  and  select  import  update(s). 

6)  Select  Bulk  catalog  import. 

7)  Click  Next. 

8)  Select  Accept  on  the  next  dialog  box;  this  imports  the  catalog. 

9)  Click  Close.  Nowall  updates  available  in  the  catalog  can  be  viewed  in  the  SCUP  console. 

1 0)  Right  click  on  each  update  to  set  the  publish  flag. 

11)  Aftersettingupthe  publish  flags,  right-clickon  System  Center  Updates  Publisher  and  select  publish 
update(s),  to  publish  all  flagged  updates  to  WSUS  3.0  SP2  Server. 

1 2)  Follow  the  wizard  to  publish  the  updates.  Then  click  Next. 

1 3)  Click  Close  on  the  confirmation  dialog  to  complete  the  wizard. 

These  updates  will  be  available  under  the  SCCM  console  at  the  next  sync  cycle  and  are  ready  to  be 
deployed. 


Configuring  SMS 

Ifyou  planto  use  SMStodeploy  the  player,  usingeitherthe  Adobe  Catalog  ortheMSIfile,followthese 
instructions  before  starting  the  deployment  process. 

1 )  Start  the  SMS  Administrator  Console. 

2)  Expand  the  Site  Hierarchy,  select  Site  System,  and  double-click  on  the  SMS  site  server.  (In  this 
example  the  site  server  is  WMCNALLY) 

3)  Confirm  that  “Use  this  site  system  as  a  management  point”  is  enabled. 

4)  If  you  have  not  yet  selected  the  default  management  point,  the  following  error  message  is 
displayed. 

SelectYes  tocontinue,  then  select  Component  Configuration,  and  then  select  Management  Point. 
This  server  is  now  set  to  be  the  default  Management  Point  for  your  site. 

5)  If  necessary,  reopen  the  Site  System  Properties.  Then,  on  the  Server  Locator  Pointtab,  enable  “Use 
this  site  system  as  a  server  locator  point”.  This  setting  helps  the  client  find  the  site  server. 
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6)  SelectStart,AII  Programs,  AdministrativeToois,lnternetlnformation  Services  (IIS)  Manager. 
Notice  that  your  website  that  was  added  to  the  IIS  Manager. 

7)  As  a  final  step,  you  may  also  want  to  set  up  some  Discovery  Methods  in  the  SMS  Administrative 
Console,  so  yoursite  will  generate  collections  (machinesoruserlD’s)automatically. 


SMS  and  Adobe  Catalog  installation 

SMS  2003  R2includestwotoolsforsoftwaredeployment— the  Inventory  Tool  forCustom  Updates  (ITCU) 
and  the  Custom  Updates  Publishing  Tool  (CUPT).  This  section  briefly  describes  these  tools  and  explains 
how  to  use  them  to  deploy  Flash  Player. 

note:  Installation  using  SMS  can  fail  if  the  player  is  being  installed  on  a  machine  where  the  logged-in  user 
does  not  have  administrative  privileges.  For  information  on  resolving  this  issue,  see  the  TechNote  enti¬ 
tled  “Flash  Player  MSI  installation  will  fail  on  machines  that  don't  have  admi  nistrative  privileges”  at 

www.adobe.com/go/df875c9e. 

System  requirements  for  SMS  deployment 

To  useSMS  2003  R2,  the  hierarchy,  including  clients,  must  be  updated  to  SMS  2003ServicePack2(SP2). 
In  addition,  to  use  the  CUPT,  you  mustbe  running  the  MicrosoftManagementConsole  (MMC)  3. Oor 
higher.  You  do  not  have  to  install  CU  PTon  the  SMSSite  Server,  butitmustbeinstalledonatleastone 
Windows  XP  machine.  The  CUPT  requires  SQL  Server  2005  for  hosting  its  database.  If  SQL  Server  2005  is 
notavailable,SQLServerExpressEditioncanbeused.TheCUPTtoolallowsadministrators  to  managing 
custom  updates  in  the  SMS  system  and  it  also  has  features  to  test  created  catalogs  before  publishing 
them  in  SMS. 

SMS  tools  for  deploying  custom  updates 

The  ITCU  isa  new  inventory  tool  that  works  with  custom  update  catalogs  such  as  the  Adobe  catalog.  ITCU 
creates  custom  collections,  packages,  and  advertisements  that  are  used  for  deploying  the  scan  tools  to 
SMS  clients  in  the  enterprise.  ITCU  retrieves  the  catalog,  in  this  case  the  custom  updates  catalog,  from 
an  accessible  SMS  distribution  point,  perform  the  scan  based  on  catalog  data,  insert  the  results  of  that 
scan  into  Windows  Management  Instrumentation  (WMI),  and  report  the  results  via  hardware  inventory. 

Custom  updates  using  the  CUPT  can  take  two  forms— updates  that  are  provided  by  third-party  vendors 
for  software  they  produce,  such  as  Adobe,  and  updates  created  internally  that  are  unique  to  a  particular 
environment.  These  updates  are  distributed  as  catalogs.  Using  third-party  updates  is  a  simple  matter  of 
downloading  the  catalogs  and  adding  them  to  SMS. 

Downloading  the  Flash  Player  catalog 

Adobe  provides  the  Flash  Player  catalog,  AdobeFlashPlayerCatalog.cab,  for  licensing  and  use  with  SMS 
2003  R2.  You  can  download  the  catalogfromyourlicenseddownload  page.  Afteryou  download  the 
catalog, you  impo rtitinto  the  CUPTandthen  publish  itto  SMS. The  rest ofthissection  explains  howto 
perform  these  tasks. 
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Importing  the  Flash  Player  catalog 

Follow  these  steps  to  import  the  Flash  Player  catalog  into  SMS. 

1 )  Select  Start,  All  Programs  and  choose  Systems  Management  Server. 

2)  Select  Custom  Updates,  then  choose  Publishing  Tool  to  launch  the  Custom  Updates  Publishing  Tool 
console. 

3)  In  the  Actions  pane,  click  Import  Update(s). 

4)  Select  Next  to  accept  the  default  Single  Catalog  Import  option. 

A  wizard  asks  for  the  location  of  the  Adobe  .cab  files  you  downloaded. 

5)  Select  Browse  to  locate  and  select  the  latest  Adobe  Catalog  for  SMS. 

CUPT  validates  the  catalog  and  displays  the  Security  Warning  to  confirm  that  you  would  like  to  ac¬ 
cept  this  catalog  signed  and  published  by  Adobe. 

6)  Click  Accept. 

When  the  import  is  done,  the  Import  Software  Catalog  Wizard  confirmation  dialog  box  shows  the 
number  of  updates  imported. 

7)  Select  Close. 

8)  To  display  Adobe  software  updates,  click  the  Adobe  node  under  Custom  Updates  Publishing  Tool. 

Publishing  the  Flash  Player  catalog 

Follow  these  steps  to  publish  the  Flash  Player  catalog. 

1 )  In  the  tree  pane  of  the  CUPT  console,  select  a  software  name  (for  example,  Adobe  Flash  Player  1 0) 
under  the  Adobenode. 

The  result  pane  shows  the  custom  update  software. 

2)  Selectthe  desired  software  version  in  the  result  pane  and  then  select  Set  Publish  Flag  in  the  Actions 
pane.  The  flag  should  turn  green. 

note:  Initially,  custom  updatesarenotflagged  in  the  Publish  column.  Each  update  you  wantto 
deploy  mustbeflaggedforpublication.lfanupdateisnotflagged,itwil!notbeincludedwhenthe 
request  to  publish  is  made 

If  you  want  to  see  details  about  a  software  version,  double-click  it  in  the  Result  pane. 

3)  Select  the  Adobe  node  on  the  tree  pane. 

4)  In  the  Actions  pane,  select  Publish  Updates. 

5)  Check  Synchronize  with  Site  Database  of  Systems  Management  Serverand  select  Next. 

The  Publish  Wizard  summary  dialog  box  indicates  the  update  is  ready  to  be  published. 

6)  Select  Next  to  publish  the  update  to  SMS. 

When  it  completes,  the  Publish  Wizard  confirmation  dialog  box  appears  indicating  the  synchronize  - 
tion  is  successful. 

7)  Select  Close. 

The  Custom  Updates  Publishing  Tool  closes. 
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8)  Run  the  SMS  Administrator  Console.  Intheconsoletree,  select  the  Software  Updates,  selectthe 
Action  menu,  and  click  Refresh. 

The  list  of  software  updates  in  the  details  pane  should  contain  the  custom  updates  you  published. 

Confirming  successful  publication 

Follow  these  steps  to  confirm  that  the  catalog  was  successfully  published. 

1 )  In  the  SMS  Administrator  Console,  navigate  to  the  Software  Updates  T ree  and  highlight  software. 

The  right  pane  should  showthe  same  update  that  was  published  using  the  CUPT  tool,  underthe  type 
“Custom  Update.” 

2)  In  the  Software  Updates  Tree,  highlight  Software  Updates. 

3)  Navigate  to  the  Advertisements  T ree  and  highlight  Custom  Updates  T ool.  Right  click  and  select 
Re-Run  Advertisement.  Select  OK  on  the  mandatory  assignment  pop-up  note. 

Advertisement  is  manually  initiated  and  Scan  for  Custom  Updates  occurs  on  all  clients.  This  scan 
takes  a  period  of  time  to  complete.  Forcing  makes  it  occur  immediately. 

You  can  view  scan  progress  by  going  to  System  Status,  Advertisement  Status,  Custom  Updates  Tool 
and  Highlight  Site  in  right  pane.  Right-click  show  messages  and  select  all.  This  displays  the  current 
status  of  the  Custom  Update  scan  and  install. 

4)  Navigate  to  the  Reporting  T ree  and  select  Reports.  Sort  reports  in  right  pane  by  category.  Scroll 
down  to  Software  Update  Compliance  category. 

5)  Select  Compliance  by  Product  Report.  Leave  the  Product  field  blank  and  select  Custom  Update  for 
the  Typevalue. 

In  the  HTML  report  published  by  the  Software  Compliance  report  in  this  step,  you  should  see  the  up¬ 
date  and  the  number  of  machines  where  the  update  is  missing  or  installed. 

Deploying  the  update 

Follow  these  steps  to  distribute  the  update  across  your  network  using  SMS. 

1 )  In  the  SMS  Administrator  Console,  navigate  to  the  Software  Updates  T ree  and  highlight  Software 
Updates.  Right-click  and  select  distribute  software  updates. 

2)  When  the  wizard  opens,  select  update  type  as  custom  update.  Select  SMS  package  as  New  and 
entera  Package  Name  of  yourchoice  (forexample,  “Adobe  Flash  Player  Update  2”). 

3)  Accept  the  default  Program  Name  and  enter  "Adobe  Systems  Inc."  as  the  Organization. 

4)  Change  Program  Name  to  Custom  Updates  Tool  (expedited). 

5)  Checkall  Adobe  Updatesthatarelisted.Pressthe  Information  Buttontogo  to  the  Adobe  website. 

6)  Select  “I  will  download  source  files  myself.” 

7)  Select  Properties  and  choose  Import.  Select  the  appropriate  MSI  file  from  your  local  hard  drive  for 
the  update  and  click  OK. 

8)  Check  SMS  Distribution  Point,  Collect  Inventory,  and  Advertise.  Click  Browse  and  Selectthe  collec¬ 
tion  to  distribute  to. 
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You  should  now  see  a  program,  package,  and  advertisement  for  the  Update  that  you  created.  This  stage 
can  take  upto60  minutestocomplete,  since  the  clientpollingscheduleisevery  60  minutes.  You  can 
expedite  this  process  by  going  to  Control  Panel,  Systems  Management,  and  Actions  Tab  on  the  clients. 
Highlight  each  action  and  click  Initiate  Action  to  triggertheclientto  talkto  the  server  immediately. 

Verify  that  the  update  was  successfully  installed: 

1 )  Navigate  to  the  Reporting  T ree  and  select  Reports.  Scroll  down  to  Software  Update  Compliance 
category. 

2)  Select  Compliance  by  Product  Report.  Leave  the  Product  field  blank  and  select  Custom  Update  for 
the  Typevalue. 

In  the  generated  report,  you  should  see  that  all  systems  where  the  update  was  applicable  are  now 
compliant  (have  installed  the  update). 

To  see  which  systems  were  not  able  to  install  the  update,  check  the  software  updates  node  of  the  gener¬ 
ated  report  to  determine  Requested  Systems  (systems  that  are  eligible  for  update)  versus  Compliant 
Systems  (systems  that  were  able  to  install  the  update). 

Additional  resources 

The  following  sites  provide  additional  information  about  deploying  custom  updates  with  SMS. 

•  Systems  Management  Server  2003  Concepts,  Planning,  and  Deployment  Guide  atwww. micro- 

soft.com/technet/prodtechnol/sms/sms2003/cpdg 

•  DeployingCustomSoftwareUpdateswithSMS2003R2attechnet.microsoft.com/en-us/maga- 

zine/ccl  62463. aspx 


Interactive  MSI  installation  using  SMS 

This  section  describes  how  to  install  Flash  Player  using  the  MSI  installer  and  the  Microsoft  Systems 
Management  Server  (SMS)  3.0  Console.  If  you  prefer  to  do  a  command  line  installation,  see  Command 
line  MSI  installations. 

The  following  instructions  assume  the  following  system  requirements: 

•  Windows  2003  Server(r2) 

•  SQL  Server  2000  (SP4) 

•  SMS  2003  (SMS3.0) 

•  Active  Directory 

•  IIS  (Microsoft  Internet  Information  Server) 

•  BITS  (Background  InformationTransfer) 

•  Flash  Player  MSI 

These  instructions  also  assume  that  you  have  already  installed  and  configured  SMS  3. 
note:  Installation  using  SMS  can  fail  if  the  player  is  being  installed  on  a  machine  where  the  logged-in  user 
does  not  have  administrative  privileges.  For  information  on  resolving  this  issue,  see  the  TechNote  enti- 
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tied  “Flash  Player  MSI  installation  will  fail  on  machines  that  don't  have  administrative  privileges”  at 

www.adobe.com/go/df875c9e. 

1 )  Start  the  SMS  Administrator  Console. 

2)  Expand  the  Site  Database. 

3)  Right-click  on  Packages  and  select  New  >  Package. 

4)  On  the  Package  Properties  General  tab,  name  your  package.  You  can  also  include  additional  data, 
such  as  the  version  number,  publisher,  language,  and  comments. 

5)  On  the  Data  Source  tab,  enable  “This  package  contains  source  files”.  Click  Set  and  browse  to  the 
network  location  where  your  source  files  reside.  For  this  example,  the  Flash  Player  MSI  was  saved 
on  the  local  C:\drive. 

6)  On  the  Data  Access  tab,  select  “Access  distribution  folder  through  common  SMS  package  share” 
and  clickOK. 

7)  To  makeyour  Distribution  Points  (locations  whereSMS  packagesare  stored),  expand  Packages, 
right-click  on  Distribution  Points  and  select  New  >  Distribution  Points. 

8)  Select  Next  to  start  the  Distribution  Point  wizard.  Select  the  servers  to  which  you  want  to  copy  the 
package  and  then  click  Finish. 

9)  Right-clickon  Programs  and  select  New  >  Program.  This  creates  the  program  that  will  execute  your 
deployment  commands. 

1 0)  In  the  General  tab,  name  your  program  and  type  in  the  command  line  information.  In  this  example, 
we  named  the  program  “install”  and  then  used  the  following  command: 

msiexec  /i  install  flash  player  active  x.msi  /qn 

11)  To  designate  the  conditions  under  which  the  application  will  be  installed,  select  the  Environment 
tab.  In  this  example,  the  conditions  are,  “Only  when  a  user  is  logged  on,”  “Run  with  administrative 
rights,”  and  “Runs  with  UNC  name”. 

12)  To  makean  advertisementthatwillapplythe  package  program  tothecollectionatasettime, 
right-clickon  the  package  and  select  All  Tasks  >  Distribute  Software. 

1 3)  Select  your  Distribution  Points  and  click  Next. 

1 4)  When  asked  “Doyou  wantto  advertise  from  this  package?”  choose  Yes,  then  click  Next. 

1 5)  Select  the  program  to  advertise,  then  click  Next.  For  this  example,  we  named  the  program  “install”. 

1 6)  At  this  point,  you  can  select  the  Collection  (designated  group  of  machines  that  you  want  to  target). 
lntheAdvertisementTargetpane,select,“Advertisethisprogramtoanexistingcollection”and 
select  Browse.  For  this  example,  we  selected  “All  Windows  XP  Systems.” 

17)  Select  the  default  for  the  Advertisement  Name,  or  change  the  name,  then  click  Next. 

1 8)  Specify  whether  the  advertisement  should  apply  to  subcollections,  then  click  Next. 

1 9)  Specify  when  the  program  will  be  advertised,  then  click  Next.  This  allows  you  to  advertise  a 
program  after  hours  when  users  are  not  on  their  computers. 

20)  You  are  now  ready  to  assign  your  program  to  your  collection.  Select  “Yes.  Assign  the  program,” 
then  click  Next 

21)  Look  at  the  Details  before  clicking  Finish. 

If  your  deployment  is  successful,  you  will  see  a  message  that  says,  “Program  About  to  Run”. 
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Command  line  MSI  installations 

The  MSI  installer  is  provided  for  administrative  installations  using  software  such  as  Microsoft  Systems 
Management  Server  (SMS).  An  administrative  installation  is  thefirst  step  in  preparing  an  MSI  installerfor 
deployment  over  a  network.  This  section  discusses  how  to  deploy  Flash  Player  over  a  Windows  network 
using  msiexec  and  the  MSI  installer.  If  you  prefer  to  do  an  interactive  installation  using  the  SMS  Console, 

see  Interactive  MSI  installation  using  SMS. 

note:  Installation  using  SMS  can  fail  if  the  player  is  being  installed  on  a  machine  where  the  logged-in  user 
does  not  have  administrative  privileges.  For  information  on  resolving  this  issue,  see  the  TechNote  enti¬ 
tled  “Flash  Player  MSI  installation  will  fail  on  machines  that  don't  have  admi  nistrative  privileges”  at 

www.adobe.com/go/df875c9e. 

To  run  an  administrative  installation,  use  the  /a  command  line  switch.  For  example,  to  run  the  Flash 
Player  ActiveX  control  installer  in  interactive  administrator  mode,  you  would  use  this  syntax: 

msiexec  /a  "install  flash_player  11  activeX.msi" 

note:  The  examples  in  the  rest  of  this  chapter  use  the  ActiveX  control  filename.  If  you  are  installing  the 
browser  plug-in,  simply  substitute  the  correct  filename  in  your  installation. 

On  some  machine  configurations,  spaces  in  the  MSI  filename  interfere  with  running  the  installer  from 
thecommandline,evenwithquotesaroundit.  Ifyourenamethe  MSIfileforany  reason,  do  notuseany 
spaces  in  thefilename. 

When  started  as  shown  above,  the  installer  runs  though  its  AdminUISequence,  involving  aseries  of  dialog 
boxes.  The  first  dialog  box  is  a  simple  welcome  screen,  and  the  next  dialog  prompts  for  the  Network  loca¬ 
tion  that  you  want  to  install  to. 

Clicking  Next  in  the  Welcome  dialog  runs  the  Network  Location  dialog.  Clicking  Install  in  this  dialog  box 
deploy  the  admin  tree  to  a  network  share. 

note:  The  admin  install  includes  only  those  files  contained  within  the  MSI  file  itself.  Other  support  files 
required  by  the  installation  such  as  bootstrap  files,  MSI  runtime  installers,  or  patches,  should  be  copied 
tothesharedfolderbysomeothermeansofyourchoice(manually,withascript,  batch  file,  and  soon). 

Once  the  admin  install  isdeployed  to  the  sharedfolder,  there  are  differentwaysthatitcan  be  used,  in 
turn,  to  install  the  product  onto  a  workstation.  These  are  discussed  in  the  rest  of  this  section. 

Manually  launch  the  installer  on  the  client 

One  easy  way  to  pull  the  installation  from  an  administrative  image  isto  run  it  manually,  by  sitting  atthe 
clientmachineand  launching  itinteractivelyfromthesiteon  which  itisbeing  shared.  You  coulddo  this 
eitherbydouble-clickingthebootstrapfile,orbydouble-clickingtheMSIfile.  The  bootstrap  file  is  the 
recommended  one  to  use,  as  it  automatically  installsthe  required  version  ofthe  MSI  runtimefirst,  if 
needed,  before  launching  the  MSI  file  in  turn. 

note:  If  you've  renamed  the  MSI  file  to  avoid  command  line  problems  with  spaces  in  the  filename,  the 
bootstrapfile  will  no  longerwork,becausethe  bootstrap  file  islookingforaspecific  hard-coded  file¬ 
name.  In  this  case,  run  the  MSI  file  directly  instead. 
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Launch  the  installer  on  the  client  using  quiet  mode 

If  you  don't  need  to  customize  the  installation  options,  then  you  can  run  the  installation  non-interac- 
tively.  This  method  requireswithacommand  line  switch,  asshown  below.  When  run  in  this  mode,  the 
default  options  are  used  for  all  items  that  would  be  presented  as  choices  in  the  interactive  install. 

msiexec  /i  "install  flash  player  11  activeX.msi"  /qn 

The  simple  command  line  syntax  shown  above  works  in  most  cases,  but  other  command  line  elements 
and  switches  are  available.  A  more  comprehensive  version  of  the  syntax  looks  like  this  (to  be  entered  all 
on  oneline): 

%Comspec%  /c  msiexec  /i  "Wnetwork 
path\install  flash  player  11  activeX.msi"  /qn 

In  both  cases,  the  final /qn  switch  mustbe  on  the  same  lineasthe  rest  of  thecommand. 

The  arguments  used  in  the  command  line  example  above  are  described  below. 

•  %Comspec%  is  an  environment  variable  provided  by  Windows.  It  points  to  the  command  inter¬ 
preter,  cmd.exe. 

•  /c  is  a  switch  passed  to  cmd.exe  telling  the  shell  to  wait  until  the  msiexec.exe  command  completes 
before  proceeding.  Without  this  switch,  the  shell  will  execute  subsequent  commands  before  the 
current  command  finishes. 

•  msiexec .  exe  is  the  Windows  installer  runtime.  When  you  double-click  an  MSI  file  (for  example, 
foo.msi)  you  are  implicitly  running  msiexec /i  foo.msi. 

•  /i  instructs  MSIEXEC  to  install  the  MSI  file  listed  after  the  switch.  There  is  also  an  /x  switch  that 
uninstalls  the  MSI  file  specified  after  the  /x  switch. 

•  /qnspecifiesauserinterfacelevelfortheaction.The/qnswitchsuppressesallpromptsandis 
therefore  usefulforsilentinstallations.  When  attempting  to  debug,  you  can  switch  to /qb,  which 
displays  basic  modaldialogs. 

For  more  information  about  command  line  options  available  for  msiexec,  see  “Command-Line  Options” 
in  the  MSDN  Library  at  msdn.microsoft.com/en-us/library/aa367988.aspx. 

Reinstalling  a  Flash  Player  using  a  batch  routine 

If  you  need  to  uninstall  and  reinstall  the  Flash  Player,  you  can  use  a  batch  file  like  this  one: 

REM  Begin  quietlnstall.bat 
REM  Uninstall  Flash  Player  ActiveX 
%Comspec%  /c  msiexec  /x  "Wnetwork 
path\install  flash  player  9  activeX.msi"  /qn 
REM  Install  Flash  Player  ActiveX 
%Comspec%  /c  msiexec  /i  "Wnetwork 
path\install  flash  player  9  activeX.msi"  /qn 
REM  End  quietlnstall.bat 
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Performing  a  background  update 

During  a  standard  Flash  Player  update,  a  dialog  box  announces  the  availability  of  the  update  to  the  user 
to  letthe  usereitheraccept,  postpone,  or  rejectthe  update.  If  the  useracceptsthe  update,  the  user's 
default  browser  is  launched  to  Adobe's  site  to  download  the  latest  version.  Once  downloaded  the  user 
can  installthe  update  immediately  oratalaterdate.Thistype  of  update  iscalledanotification  update. 

On  Microsoft  Windows  and  Macintosh,  a  Flash  Player  background  update  installs  the  update  silently  in 
the  background,  withoutanyuserinteraction.AbackgroundupdateinstallstheActiveXControl  (IE), 
NPAPI  plug-in  (Firefox,  Safari)  and  PPAPI  plug-in  (Chromium-based  browsers)  players  when  appropriate. 

Forsomebrowsertypes,iftheuserhasabrowseropenatthetimeofaupdate,thebrowserdoesnot 
usetheupdatedplayeruntilanewbrowserinstancelaunches.Browserinstancesopen  during  the 
update  process  continue  to  use  the  previous  player  version. 

Background  update  isdisabled  by  default.  Based  on  the  install  type,  the  background  update  varies: 

MSI  and  PKG  installers  do  not  provide  update  options  and  therefore  do  not  set  the  update  options  in  the 
mms.cfg  file.  To  set  the  update  option  when  installing  Flash  Player  using  the  MSI  or  PKG  installer  deploy 
a  custom  mms.cfg  file  with  the  desired  Updateoptions. 

•  32-bit  Windows:  C:\Windows\System32\Macromed\Flash 

-  64-bit  Windows:  C:\Windows\SysWOW64\Macromed\Flash 

•  Macintosh:  /Library/Application  Support 

All  other  installer  types:  During  installation,  you  can  select  the  update  option  (silent,  notification,  or  do 
not  update).  If  you  have  previously  opted  into  background  updates,  and  had  not  uninstalled  the  player 
(see  note  in  the  uninstall  section  about  update  options  being  reset  when  the  player  is  uninstalled),  the 
update  options  will  not  be  displayed. 

An  installation  performed  by  the  MSI  or  PKG  installer  does  not  create  or  update  these  entries  in  the 
mms.cfg  file. 

When  the  Flash  Player  is  installed,  it  also  installs  a  Windows  32-bit  service  application  and  task  or,  for  a 
Mac,  aLaunchDaemon.  When  all  playertypesare  removed,  the  Windows  service  andtask,  or  Mac 
LaunchDaemon,  are  also  removed. 

If  background  updates  are  enabled,  the  taskorLaunchDaemoncheckfor  an  update  once  every  24  hours. 
However,  if  no  networkorinternet  connection  isavailableatthetimeofthecheck,thecheckoccurs 
again  every  hour  until  a  connection  is  detected.  After  the  next  successful  check,  another  check  does  not 
occur  for  24  hours. 

The  update  task  runs  as  the  SYSTEM  user,  not  as  the  current  user.  The  check  runs  regardless  of  who  is 
logged  on,  and  runs  even  if  no  one  is  logged  on.  The  only  requirement  is  that  the  system  has  an  internet 
connection.  It  is  the  responsibility  of  the  system  administrator  to  ensure  that  processes  running  as  the 
SYSTEM  user  account  are  correctly  configured  to  use  any  appropriate  corporate  proxies. 
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Background  updates  from  an  internal  server 

You  can  use  the  background  update  mechanism  to  hostand  deploy  updateson  internal  networks. 
Deploying  Flash  Player  from  an  internal  server  requires  obtaining  the  Adobe  Runtimes /Reader  Distribu¬ 
tion  License  if  you  don’t  have  a  distribution  license. 

Prerequisites 

•  A  server  with  the  following  configuration: 

Open  port  443  for  HTTPS  requests. 

A  valid  SSL  certificate,  issued  by  a  trusted  third-party  certificate  authority,  for  HTTPS  access 
on  port  443. 

•  TheabilitytostorefilesontheserverinanAdobe-specifiedfolderstructure  (outlined  laterinthis 
section). 

•  The  ability  to  deploy  mms.cfg  configuration  files  to  clients  on  the  network. 

Configure  the  server 

1 )  In  your  server  root,  create  the  following  structure:  /pub/flashplayer/update/current/sau 

2)  Download  the  Background  Update  Resources  archive  from  the  Adobe  Flash  Player  Distribution 
page  using  the  link  in  the  email  you  received  when  licensing  Flash  Player. 

A  link  to  the  Background  Update  Resources  archive  is  also  posted  on  the  https://www.ado- 
i be.  com/licensing/distribution/strategies/sms.  html  page. 

3)  Unpack  the  downloaded  .cab  archive.  The  archive  contains  the  required  files  in  the  appropriate 
format  and  directory  structure  as  required  by  Flash  Player. 

4)  Copy  the  contents  of  the  unpacked  archive  to  the  /sau  directory  created  in  step  1 . 

5)  When  finished,  you  should  see  something  similarto  the  following: 

Current  release: 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ currentma j  or . 
xml 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 11/ xml/versio 
n .  xml 

https : / /your . server . com/pub/ f lashplayer /update/ cur rent /sau/ 11 / ins tall /in 
stall  all  win  ax  sgn.z 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 11 /install/in 
stall  all  win  pi  sgn.z 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 11/install/in 
stall  all  mac_pl_sgn.z 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 2  0 /xml/versio 
n .  xml 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 20 /install/in 
stall  all  win  ax  sgn.z 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 20/ install_al 
1  win  pep  sgn.z 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 20 /install/in 
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stall  all  win  pl^sgn.z 

https : / /your . server . com/pub/ flashplayer /update /current /sau/ 21/ xml/versio 
n .  xml 

https : / /your . server . com/pub/ f lashplayer /update /current/ sau/21/ins tall/in 
stall  all  win  ax_sgn.z 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 21/ install_al 
1  win  pep_sgn.z 

https : / /your . server . com/pub/ f lashplayer /update /current /sau/ 21/install/in 
stall  all  win  pl^sgn.z 

Configure  clients 

•  Create  an  mms.cfg  file  with  the  following  entries  (replacing  your.server.com  with  the  name  of  your 
server): 

AutoUpdateDisable=0 

SilentAutoUpdateEnable=l 

SilentAutoUpdateServerDomain=your . server . com 

•  Deploy  Flash  Player  1 1 .3  or  higher. 

•  Deploy  the  mms.cfg  toallclientsforwhichyouwantthe  Background  Updaterredirectedtoyour 
internal  server. 

The  SilentAutollpdateServerDomain  server  name  and  the  CN  name  on  the  SSL  cert  must  match  (for 
production  and  testservers). 

When  hosting  the  Background  Update  resources  locally,  Flash  Player  will  only  update  in  the  background. 
Users  will  not  see  an  update  notification  informing  them  an  update  is  available.  If  the  Background  Update 
resources  are  not  hosted  locally  and  the  client  machines  are  configured  for  Background  Updates,  they 
may  occasionally  receive  notifications  that  an  update  is  available  instead  of  being  updated  through  the 
Background  Updates. 


Windows  registry  keys 

In  addition  to  the  registry  keys  you  can  use  to  determine  the  installed  version  of  a  player  (see  Playerver¬ 
sions),  Flash  Player  creates  other  registry  keys  when  it  is  installed  or  registered.  These  keys  are  summa¬ 
rized  in  the  Flash  Player  TechNote  entitled  “Flash  Player  |  Windows  registry  permissions”. 


PKG  Installer  for  Macintosh 

To  distribute  Flash  Player  across  the  enterprise,  use  the  PKG  installer  in  conjunction  with  your  package 
managementtool  of  choice  to  install  Flash  Playertothecurrentvolume,anon-bootvolume,oradisk 
image  to  be  replicated  across  your  enterprise. 

1)  Extractthe  Adobe  Flash  Player  package  installer  (Install  Adobe  Flash  Player. pkg)  from  the.  DMG  file 

2)  Import  the  .PKG  file  into  your  package  management  toolofchoice  and  distribute  Flash  Player 
across  yourenterprise. 
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Silent  installation  of  Flash  Player  (using  .pkg  installer  package) 

Use  the  .pkg  installer  package  to  install  the  Flash  Player  silently,  using  the  installer  utility,  to  the  current 
volume,  a  non-boot  volume,  or  a  disk  image  to  be  replicated  across  your  enterprise. 


App  installer  for  Macintosh 

Double-click  the  DMG  image  file  to  extract  the  .app  installer  bundle  and  follow  the  guided  installation 
instructions. 

note:  Flash  Player  1 1  or  later  is  not  supported  on  Power  PCs. 

Silent  installation  of  Flash  Player  (using  .app  installer  bundle) 

Do  the  following  to  silently  install  Flash  Player  1 1 .3  or  later  on  Mac: 

1)  Extractthe  Adobe  Flash  Playerinstallerbundle  (install  Adobe  Flash  Player.  app)from 
the  .dmg  file. 

2)  Open  a  terminal  window  and  change  to  the  directory  where  the .  app  file  is  saved. 

For  example,  if  the .  app  file  is  saved  on  the  Desktop  of  the  current  user,  type:cd  -/ Desktop 

3)  Run  the  installer  contained  in  the  .  app  file  using  the  following  command: 

sudo  ./Install  Adobe  Flash  Player . app /Contents/MacOS/ Adobe  Flash 
Player  Install  Manager  -install 

4)  Type  the  password  to  proceed  with  the  installation. 

note:  You  need  to  be  a  super  user  to  proceed  with  the  installation. 


Customizing  player  behavior 

After  you  deploy  the  player,  you  can  install  a  privacy  and  security  configuration  file  (mms.cfg)  to  specify 
rules  about  Flash  Playersecurity  options  and  Flash  application  accessto  thefile  system  and  network.  The 
file  controls  security-related  behavior  of  the  player  after  installation. 

The  primary  purpose  for  the  mms.cfg  file  is  to  support  the  corporate  and  enterprise  environments  where 
the  IT  department  would  like  to  install  Flash  Player  across  the  enterprise,  while  enforcing  some  common 
global  security  and  privacy  settings  (supported  with  installation-time  configuration  choices).  The 
mms.cfg  file  can  be  used  to  control  data  loading  operations,  user  privacy,  auto-update  behavior,  back¬ 
ground  update  behavior,  and  local  file  security. 

For  detailed  information  about  customizing  player  behavior,  see  Administration. 


Troubleshooting  installation  problems 

The  following  TechNotes  address  installation  problems  you  may  encounter. 
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Troubleshoot  Adobe  Flash  Playerinstallation  for  Windows  (www.adobe.com/go/tn  19166) 
T roubleshoot  Adobe  Flash  Playerfor  Intel-based  Macs  (www.adobe.com/go/2dda3d81 ) 

Safe  versions  security  restrictions  when  installing  Flash  Player  (Internet  Exploreron  Windows) 

(http://kb2.adobe.com/cps/402/kb402435.html) 


Additional  resources 

For  answers  to  questions  regarding  Flash  Player  licensing  and  deployment,  see  Adobe  Player  Licensing  at 

www.adobe.com/licensing/distribution  and  the  player  Distribution  FAQ  at 
www.adobe.com/licensing/distribution/faq. 

To  receive  notification  of  when  a  new  version  of  Flash  Player  is  available,  registerforthe  Security  Bulletin 
and  Advisories  email  notification  at  helpx.adobe.com/security.html. 

Notifications  are  also  posted  on  the  Flash  Player  user  forums.  See 

https://forums.adobe.com/thread/890491  for  more  information. 

The  following  sites  outside  Adobe  provide  general  information  on  deploying  software  on  Windows 
systems. 

•  Windows  Installer  Resources  for  System  Administrators  at  www.  install - 
site.org/pages/en/msi/admins.htm. 

•  Applying  Small  Updates  by  Patching  an  Administrative  Image  in  the  MSDN  library  at  msdn.micro- 
soft.com/en-us/library/aa367573.aspx. 

•  Applying  Small  Updates  by  Reinstalling  the  Product  in  the  MSDN  library  at  msdn.micro- 

soft.com/en-us/library/aa367575.aspx. 

•  Forinformation  ondetecting  playerversion  from  awebsite,  see  the“Detection  and  Installation” 
section  atthe  Flash  Player  DeveloperCenter  (www.adobe.com/devnet/flashplayer/detection_in- 

stallation.htm  ). 
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Administration 

Enterprise  Enablement 

To  help  enterprises  prepare  for  Flash  Player’s  end  of  life  (EOL),  Adobe  is  making  several  changes  to 

Flash  Player’s  behavior  and  functionality. 

Starting  with  the  Flash  Player  June  2020  release,  enterprises  can  enable  whitelisting  for  Flash  Player. 

Doing  so  has  multiple  benefits: 

•  Explicitly  whitelist  Flash  Player  content  that  you  trust  and  block  all  other  Flash  content.  While 
many  browsers  provide  the  option  to  block  Flash  Player  on  a  per  site  basis,  some  do  not.  With 
this  change,  it  won’t  matter  which  browser  is  being  used  because  Flash  Player  itself  will  keep  a 
list  of  whitelisted  URLs. 

•  Any  whitelisted  content  will  continue  to  run  post  EOL,  while  all  other  Flash  Player  content  is 
blocked  by  default.  Please  be  aware  that  enabling  content  to  run  post  EOL  is  not  advised  and 
done  at  your  own  risk. 

Adobe  recommends  all  enterprise  customers  requiring  access  to  Flash  Player  content 
post  EOL  engage  with  our  distribution  and  support  partner,  HARMAN,  to  obtain 
commercial  support  solutions  that  include  security  updates. 

•  Provides  logging  capability  to  identify  Flash  content  being  used  by  client  systems.  We 
recommend  reaching  out  to  our  distribution  and  support  partner,  HARMAf  ,  to  help  identify 
comprehensive  solutions  for  enterprises  with  large  client  bases. 


Enterprise  Enablement  includes  the  preferences  WhitelistPreview,  TraceOutputEcho,  EnableWhitelist, 
and  WhitelistRootMovieOnly.  In  addition,  we  recommend  you  review  the  section  “Suppressing  EOL 
Uninstall  Prompts”  for  information  on  optional  preferences  that  may  affect  your  users  in  2020. 

Suppressing  EOL  Uninstall  Prompts 

In  the  latter  half  of  2020,  as  part  of  Flash  Player's  end  of  life  (EOL)  process,  Adobe  will  start  prompting 
customers  to  uninstall  Flash  Player.  This  prompt  is  optional  and  can  be  dismissed  by  the  end  user. 

To  reduce  friction  in  a  managed  installation  environment,  administrators  can  set  either  of  the  following 
properties  in  the  client's  mms.cfg  to  disable  the  prompt  from  appearing: 

AutoUpdateDisable  =  1 

Or 

EOLUninstallDisable  =  1 

Many  administrators  have  already  configured  Flash  Player  with  AutoUpdateDisable=1 ,  so  if  this  is  true 
in  your  environment  no  additional  steps  are  required  and  your  users  will  not  see  the  uninstall  prompt. 

If  your  workflow  requires  auto  updates  (AutoUpdateDisable=0,  the  default),  and  you  would  like  to 
suppress  the  uninstall  prompts  from  appearing  for  your  clients,  set  EOLUninstallDisable  =  1 . 
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EOLUninstallDisable 

EOLUninstallDisable  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Disabled  (0)  by  default.  EOLUninstallDisable  =1  allows  system  administrators  to  disable  uninstall 
prompts  by  Flash  Player  scheduled  to  start  appearing  in  the  second  half  of  2020.  When  enabled  (1), 
users  can  still  uninstall  Flash  Player,  however  unsolicited  prompts  by  Adobe  to  uninstall  Flash  Player 
will  be  suppressed. 

WhitelistPreview 

WhitelistPreview  =  [  0,  1  ]  (0  =  false,  1  =  true) 

WhitelistPreview  is  disabled  (0)  by  default.  When  EnableWhitelist  =  1  requests  matching  patterns  in 
the  white  list  are  allowed,  and  the  rest  are  blocked.  After  Flash  Player  EOL,  this  setting  will  be  ignored. 

Blocked  requests  (but  not  allowed  requests)  are  logged  using  trace(). 


***  EnableWhitelist  blocks  '  http:  / /www.  example,  com  /blocked .  swf '  .  *** 

When  WhitelistPreview  =  1,  then  all  requests  are  allowed,  but  trace()  is  used  to  log  whether  each 
request  would  be  allowed  or  blocked  by  the  current  whitelist: 

***  WhitelistPreview:  Whitelist  allows  'http://www.example.com/allow.swf.  *** 
***  WhitelistPreview:  Whitelist  blocks  'http://www.example.com/blocked.swf.  *** 

NOTE:  WhitelistPreview  is  ignored  unless  EnableWhitelist=1  is  specified. 

Example 

An  admin  adds  the  following  to  MMS.CFG 

#  duplicate  actionscript  console  output 

#  in  browser's  console  for  javascript 
TraceOutputEcho=l 

#  Enable  the  Whitelist  feature 
EnableWhiteList=l 

#  Normally,  the  whitelist  blocks  URL  requests 

#  unless  the  url  matches  a  pattern  in  the  whitelist. 

#  In  preview  mode,  all  requests  go  unblocked, 

#  but  console  output  is  written  for  each  request 

#  indicating  which  pattern  it  matched  or  that 

#  no  match  was  found. 

WhitelistPreview=l 

trace()  statements  from  the  player  now  appear  in  the  browser's  JavaScript  console  (  each  trace()  is 
prefaced  with  SWF  :  to  distinguish  it  from  other  console  output )  : 
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®  ®  ®  ©  hello_world  X  + 

<-  ->  G  O  File  /Users/-  -/Downloads/hello_world.html  ☆  □□  *  i 


[yj  [2  Elements  Console  Sources  Network  »  •  X 


[0  ®  top 

▼  ©  Filter  Default  levels  t  |J| 

Hide  network 

O  Log  XMLHttpRequests 

O  Preserve  log 

Q  Eager  evaluation 

Selected  context  only 

Q  Autocomplete  from  history 

Q  Group  similar 

Q  Evaluate  triggers  user  activation 

SWF  :  Hello  World! 

VM544: 1 

> 
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TraceOutputEcho 


TraceOutputEcho  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Disabled  by  default.  TraceOutputEcho=1  will  cause  ActionScript  trace  (msg:String)  statements  to  be 
duplicated  in  the  browser’s  JavaScript  console  using  console.log  (“SWF:  “  +  msg). 

Example 

#  trace  ()  statements  are  echo’ed  in  the  browser’s  javascript  console 

#  with  console . log () . 

TraceOutputEcho=l 

#  Enable  the  Whitelist  feature 
EnableWhiteList=l 

#  In  preview  mode,  the  whitelist  won’t  block  url  request, 

#  but  for  each  url  request,  it  will  trace ()  whether 

#  the  current  whitelist  would  block  or  allow  the  request 
WhitelistPreview=l 

Would  produce  trace  ()  output  in  the  browser  : 

SWF:  ***  WhitelistPreview :  Whitelist  allows 
' http : / /www . example . com/ allow . swf ' .  **  * 

SWF:  ***  WhitelistPreview:  Whitelist  blocks 
' http : // www . example . com/blocked. swf ' .  *** 

EnableWhitelist 

EnableWhitelist  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Disabled  by  default.  Allows  system  administrators  to  allow  Flash  Player  to  only  load  content  from  a 
set  of  whitelisted  URLs.  After  Flash  Player  EOL,  EnableWhitelist  will  default  to  true  and  the  MMS.CFG 
setting  will  be  ignored. 

Troubleshooting 

Flash  Player  typically  does  not  provide  visible  runtime  errors  to  end-users,  and  users  will  not  see  an 
error  message  when  a  request  is  blocked  by  the  EnableWhitelist  flag  while  using  the  generally 
available  Flash  Player  version. 

Errors  related  to  the  whitelist  feature  can  be  logged  to  flashlog.txt  by  using  Debug  version  of  Flash 
Player  with  logging  configured,  by  setting  ErrorReportingEnable=1  in  mm.cfg.  As  of  the  time  of  this 
writing,  we  recommend  Firefox  and  Internet  Explorer  as  the  easiest  browsers  to  configure  for 
debugging  and  logging  to  the  filesystem. 

See  the  following  guide  on  configuring  the  debugger  version  of  Flash  Player  for  details: 
https://helpx.adobe.com/flash-player/kb/configure-debugger-version-flash-player.html 

Once  enabled,  error  messages  will  be  logged  to  flashlog.txt,  and  will  look  like  this: 
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Example  —  Root  Movie  Blocked 

***  EnableWhitelist  Activated  -  Root  Movie  Blocked  *** 


No  WhitelistURLPattern  matches  ‘https : / /www . example . com/movie . swf 

In  this  instance,  the  parent  webpage  attempted  to  embed  a  SWF,  but  no  WhitelistUrlPattern  entry 
allows  https://www.example.com/movie.swf  to  be  loaded. 

Example  -  Root  Movie  Loaded,  Subsequent  Request  Blocked 

***  EnableWhitelist  Activated  -  Request  Blocked  *** 

No  WhitelistURLPattern  matches  'http://www.example.com/intro.html'. 

In  this  instance,  the  parent  SWF  was  permitted  to  load,  but  at  runtime,  the  SWF  attempted  to  navigate 
to  http://www.example.com/intro.html.  The  navigation  was  not  permitted  by  a  matching 
WhitelistUrlPattern  entry,  and  was  blocked. 

WhitelistRootMovieOnly 

WhitelistRootMovieOnly  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Disabled  by  default.  Only  apply  whitelist  restrictions  to  the  parent  SWF.  Subsequent  requests  made 
from  the  loaded  SWF  to  arbitrary  URLs  are  allowed. 

In  some  instances,  it  may  be  desirable  to  restrict  Flash  Player  to  loading  only  a  trusted  set  of  parent 
movies,  but  to  then  allow  those  movies  to  make  arbitrary  requests  to  other  resources.  This  minimizes 
the  number  of  WhitelistUrlPattern  entries  required,  and  provides  administrators  with  a  simple,  flexible 
option  for  narrowing  what  Flash  content  can  be  loaded  in  their  environment. 

WhitelistUrlPattern 

WhitelistUrlPattern  =  <scheme>  : //<host> : <port>/<path> 

<scheme>  =  |  ‘http’  |  ‘https’ 

<host>  =  <any  char  except  '.’  and  '*’> 

<port>  (optional)  =  |  <any  valid  port  number> 

<path>  =  '/'  <any  chars> 


With  EnableWhitelist=1  set,  administrators  can  then  specify  a  discrete  URL  or  pattern  to  allow. 


Examples 


Pattern 

Description 

http://www.example.com/folder/flash.swf 

You  can  use  an  url  as  a  match  pattern,  in  which 
case,  for  instance,  this 

patternhttp://www. example.com/folder/flash.sw 

f  but  not  http://www.example.com/folder/file.txt 

http://www.example.com/folder/ 

You  can  omit  path  components  to  match  a  set  of 
urls  with  a  common  prefix,  for  instance,  this 
pattern  will 
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matchhttp://www.  example.com/folder/flash.swf 
and  http://www.example.com/folder/file.txt . 

http://www.examDle.com/ 

You  can  omit  the  path  entirely,  for  instance,  this 
pattern  will  match  any  url  with  the 

originhttp://www.example.com:80/  . 

NOTE:  The  default  port  for  HTTP  is  80,  so 
http://www.example.com:80/  is  equivalent 

tohttp://www. example. com/. 

https://www.example.com/ 

This  pattern  will  match  any  url  with  the  origin 
https://www.example.com:443/  . 

NOTE:  The  default  port  for  HTTPS  is  443,  so 
https://www.example.com:443/  is  equivalent 

tohttps://www.example.com/. 

*://www.example.com/ 

The  wildcard  scheme  (  *: )  will  match  HTTP  or 

HTTPS,  for  instance,  this  pattern  will  match 
eitherhttp://www.example.com:80/  or 
https://www.example.com:443/  . 

file://www. example. com/ 

This  pattern  will  match  FILE:  requests  to 
www.example.com. 

http://*. example. com/ 

You  can  use  a  leading  wildcard  to  match  all 
subdomains  of  a  domain,  for 
instance, http://*. example.com/  matches  the 
subdomains  of  example.com. 

NOTE:  The  wildcard  must  be  followed  by  at  least 
two  labels,  so  http://*/  is  not  valid,  nor  is 
http://*. com/. 

blob:* 

A  wildcard  can  be  used  to  allow  all  requests  using 
the  specified  scheme. 

NOTE:  http:*,  https:*  and  *:*  are  not  permitted 
as  they  are  overly  general. 

http://192.168. 1.20/ 

The  host  can  be  an  IPv4  Address  instead  of  a 
domain  name.  Wildcards  are  not  supported  with 
IPv4  Addresses. 

http://[::ll/ 

The  host  can  be  an  IPv6  Address  instead  of  a 
domain  name.  Wildcards  are  not  supported  with 
IPv6  Address. 

NOTE:  More  than  one  string  can  represent  the 
same  IPv6  address,  for  instance,  "[::1]"  and 
"[0::1]"  are  equivalent,  but  patterns  will  be 
matched  using  string  comparison,  so  ("[::1]"  != 

"[0: :  1]"). 

file:///folder/file.txt 

Local  file  requests  can  omit  the  host. 

http://user:pass(Swww. exam  ple.com/ 

User  info  is  ignored,  so  this  pattern  is  the  same  as 
http://www.example.com/ 

http://www.example.com/flash.swf2querv 

Query  strings  are  ignored,  so  this  pattern  is  the 
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same  as  http://www.example.com/flash.swf 

http://www.example.eom/flash.swf#fragment 

Fragments  are  ignored,  so  this  pattern  is  the 
same  as  http://www.example.com/flash.swf 

Examples: 

Strict  -  Load  Only  Single  Specified  File,  Require  HTTPS 

Flash  Player  to  loading  only  a  trusted  set  of  parent  movies,  but  to  then  allow  those  movies  to  make 
arbitrary  requests  to  other  resources.  This  minimizes  the  number  of  WhitelistU rl Pattern  entries 
required,  and  provides 

mms . cf g 

EnableWhitelist=l 

WhitelistUrlPattern=https : / /my . intranet . com/ legacyApp/ application . swf 

How  requests  would  be  handled: 

Allowed 

https : / /my . intranet . com/ legacyApp /application . swf 

Denied 

http : / /my . intranet . com/ legacyApp /application .swf 
https : / /my . intranet . com/ legacyApp /application  child . swf 
https : / /my . intranet . com/legacyApp/other_resource . jpg 
http : / /example . com/randomContent . xml 

Strict  -  Load  Only  Content  from  Specified  Folder,  Require  HTTPS 

Allow  Flash  Player  to  load  any  content  from  a  specific  directory,  over  FITTPS  only.  Any  child  content 
loaded  by  the  parent  SWF  outside  thist  directory  must  be  explicitly  whitelisted  in  order  to  load. 

mms . cf g 

EnableWhitelist=l 

WhitelistUrlPattern=https : / /my . intranet . com/ legacyApp/ 

Strict  Folder  Access,  HTTP  and  HTTPS 

Allow  Flash  Player  to  load  any  content  from  a  specific  directory,  over  HTTPS  only.  Any  child  content 
loaded  by  the  parent  SWF  outside  thist  directory  must  be  explicitly  whitelisted  in  order  to  load. 

mms . cf g 

EnableWhitelist=l 

WhitelistUrlPattern=https : / /my . intranet . com/ legacyApp/ 
WhitelistUrlPattern=http : / /my. intranet . com/ legacyApp/ 

How  requests  would  be  handled: 

Allowed 

https : / /my . intranet . com/ legacyApp /application . swf 
https : / /my . intranet . com/ legacyApp /application  child . swf 
https : //my . intranet . com/legacyApp/other_resource . jpg 


Denied 

https : / /my . intranet . com/ otherApp/other  resource . txt 
http : / /my . intranet . com/ legacyApp /application .swf 
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http : / /example . com/randomContent . xml 

Intermediate  -  Parent  content  must  be  loaded  from  trusted  directory,  HTTPS  and  HTTP 

Allow  Flash  Player  to  load  content  from  a  specific  trusted  directory.  Any  subsequent  content 
requested  by  the  trusted  application  will  not  be  subject  to  whitelist  restrictions. 

mms . cf g 

EnableWhitelist=l 

WhitelistRootMovieOnly=l 

WhitelistUrlPattern=https : / /my . intranet . com/legacyApp/ 
WhitelistUrlPattern=http : / /my .intranet . com/ legacyApp/ 

How  the  initial  request  for  Flash  content  would  be  handled: 

Allowed 

https : / /my .intranet . com/ legacyApp /application . swf 
http : / /my . intranet . com/ legacyApp /application .swf 

Denied 

http : / /my . intranet . com/ legacyApp /application .swf 
https : / /my . intranet . com/otherApp/ other  resource . txt 
http : / /example . com/randomContent . xml 

Once  loaded,  if  the  SWF  at  https://my.intranet.com/legacyApp/application.swf  (or  its  children)  made 
subsequent  requests  for  resources  available  on  the  network,  they  would  be  permitted  regardless  of 
whitelist  restrictions. 

Allowed  (when  requested  by  the  permitted  Flash  instance): 

http : / /my . intranet . com/ legacyApp /application .swf 
https : //my . intranet . com/otherApp/other  resource . txt 
http : / /example . com/randomContent . xml 


Privacy  and  security  settings  (mms.cfg) 

Asanetworkadministrator,you  can  install  Flash  Playeracrosstheenterprisewhileenforcing  some 
common  global  security  and  privacy  settings  (supported  with  installation-time  configuration  choices).  To 
do  this,  you  install  afile  named  mms.cfg  on  each  client  machine. 

The  mms.cfg  file  is  a  text  file.  When  Flash  Player  starts,  it  reads  its  settings  from  this  file,  and  uses  them 
to  manage  functionality  as  described  in  the  following  sections. 

mms.cfg  file  location 

Windows 

Assuming  a  default  Windows  installation,  Flash  Player  looks  for  the  mms.cfg  file  in  the  following 
system  directories: 

-  32-bit  Wi  ndows  -  %WIN  D I  R%\System32\Macromed\Flash 
•  64-bit  Wi  ndows  -  %WIN  D I  R%\SysWow64\Macromed\Flash 
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NOTE:The%WINDIR%iocationrepresentstheWindowssystemdirectory,suchasC:\WINDOWS. 

Macintosh 

/Library/Application  Support/Macromedia 

Linux 

/etc/adobe/ 


note:  Unlike  Windows  and  Macintosh,  the  Linux  player  is  in  a  directory  named  adobe,  not  in  one  named 
Macromed  or  Macromedia. 

Google  Chrome 

Google  Chrome  uses  its  own  version  of  the  mms.cfg  file,  saved  at: 

-  Mac:  /Users/<username>/Library/Application  Support/Google/Chrome/Default/Pepper 
Data/Shockwave  Flash/System 

Mac:  /Users/<username>/Library/Application  Support/Google/Chrome/Default/Pepper 
Data/Shockwave  Flash/System 

Win:  %USERNAME%/AppData/Local/Google/Chrome/User  Data/Default/Pepper 
Data/Shockwave  Flash/System 


36 


Chapter  4 


Privacy  and  security  settings  (mms.cfg) 
Administration 


The  System  directory  may  not  exist.  If  not,  create  it  manually. 

note:  Directives  such  asthose  relating  to  updating  Flash  Playerare  not  honored  as  Google  embeds  Flash 
Player  in  Chrome  and  all  updates  are  released  by  Google. 

You  might  use  third-party  administration  tools,  such  as  Microsoft  System  Management  Server,  to  repli¬ 
cate  the  configuration  file  to  the  user's  computer. 

Use  the  standard  techniques  provided  by  your  operating  system  to  hide  or  otherwise  prevent  end  users 
from  seeing  or  modifying  the  mms.cfg  file  on  their  systems. 

Setting  options  in  the  mms.cfg  file 

This  section  discusses  how  to  format  and  set  options  in  the  mms.cfg  file.  The  value  of  some  mms.cfg 
options  can  be  queried  through  the  use  of  ActionScript.  When  this  is  possible,  the  ActionScript  API  is 
noted  in  the  option’s  description. 

File  format 

The  format  of  the  mms.cfg  file  isaseries  of  name  =  value  pairs  separated  by  carriage  returns.  If  a 
parameterisnotsetinthefile,  Flash  Playereitherassumesadefaultvalueorlets  the  userspecifythe 
setting  by  responding  to  pop-up  questions,  or  by  using  Settings  dialog  boxes  or  the  Settings  Manager. 
(For  more  information  on  how  the  user  can  specify  values  for  certain  options,  see  User-configuredset- 
tings.) 

The  options  in  the  mms.cfg  file  use  the  following  syntax: 

ParameterName  =  ParameterValue 

Onlyoneoptionperlineissupported.  Specify  Boolean  parameterseitheras"  true "  or  "faise",oras 
1  Or  0,  Or  as  "yes"  Or  "no". 

Comments  are  allowed.  They  start  with  a  #  symbol  and  go  to  the  end  of  the  line.  This  symbol  can  be  used 
to  insert  comments  or  to  temporarily  disable  directives. 

Whitespace  is  allowed,  including  blank  lines  or  spaces  around  equal  signs  (  =  ). 

Character  encoding 

Some  mms.cfg  directives  may  have  values  that  include  non-ASCII  characters,  so  the  character  encoding 
of  the  file  is  significant  in  those  cases.  We  support  a  standard  text  file  convention:  the  file  may  use  either 
UTF-8  or  UTF-1 6  Unicode  encoding,  either  of  which  must  be  indicated  by  including  a  "byte  order  mark" 
(BOM)  characteratthe  beginning  of  thefile;  if  no  BOM  isfound,  Flash  Playerassumesthatthefileis 
encoded  using  thecu  rrentsystemdefaultcode  page.  Many  populartexteditors,  including  Windows 
Notepad  and  Mac  TextEdit,  are  capable  of  writing  UTF-8  or  UTF-1 6  files  with  BOMs,  although  you  may 
need  to  specify  that  as  an  option  when  saving. 

Summary  of  mms.cfg  options 

The  following  table  summarizes  the  options  available  in  mms.cfg,  in  alphabetical  order. 
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Option 

Description 

AllowUserLocalTrust 

Lets  you  prevent  users  from  designating  any  files  on  local  file 
systems  as  trusted. 

AssetCacheSize 

Lets  you  specify  a  hard  limit,  in  MB,  on  the  amountof  local 
storage  that  Flash  Player  uses  for  the  storage  of  common 

Flash  components. 

AutoUpdateDisable 

Lets  you  prevent  Flash  Player  from  automatically  checking  for 
and  installing  updated  versions. 

AutoUpdatelnterval 

Lets  you  specify  how  often  to  check  for  an  updated  version  of 
Flash  Player. 

This  setting  is  for  notification  updates.  It  is  not  for  background 
updates. 

Do  notusethissetting  ifthe  intentistouse  Background 
Updates  to  update  the  client  systems. 

A  VHardwareDisable 

LetsyoupreventSWFfilesfrom  accessing  webcamsor 
microphones.  Not  applicable  on  Chrome  or  Edge  browsers. 

A  VHardwareEnabledDomain 

Allows  SWFfilesfrom  aspecificdomain  or  IPaddress  to 
access  webcams  or  microphones.  Not  applicable  on  Chrome 
or  Edge  browsers. 

DisableDeviceFontEnumeration 

Lets  you  prevent  information  on  installed  fonts  from  being 
displayed. 

EnablelnsecureActiveXNavigateToUR 

L 

Allows  Administrators  to  override  the  Flash  Player32and 
above  behavior  of  more  strictly  enforcing  Same  Origin  Policy 
with  requests  made  from  NavigateToURL()  in  the  ActiveX  Flash 
Player  for  IE  and  Edge  on  Windows. 

DisableHardwareAcceleration 

Lets  you  disable  hardware  acceleration. 

DisableNetworkAndFilesystemlnHost 

App 

Lets  you  prevent  networking  or  file  system  access  of  any  kind. 

DisableProductDownload 

Lets  you  prevent  native  code  applications  that  are  digitally 
signed  and  delivered  by  Adobe  from  being  downloaded. 

DisableSockets 

Lets  you  enable  or  disable  the  use  of  the 

Socket . connect  ( )  and  XMLSocket . connect  ( ) 

methods. 

EnablelnsecureActiveXMHTMLSuppo 

rt 

Lets  you  override  the  Flash  Player  32  and  above  default 
behavior  of  restricting  the  ability  to  launch  Flash  Player  from 
within  an  MTHML  (.mhtml  or  .mht)  document. 
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Option 

Description 

EnablelnsecureByteArrayShareable 

Lets  you  override  the  Flash  Player  30  and  above 
defaultbehavior  of  restricting  the  shareable  property  of  the 
ActionScript  ByteArray  API  class. 

EnablelnsecureByteArrayShareable 

D  omain 

Lets  you  override  the  Flash  Player  30  and  above 
defaultbehavior  of  restricting  theshareable  property  of  the 
ActionScript  ByteArray  API  class  on  a  per-domain  basis. 

Enables  ocketsTo 

Lets  you  create  a  whitelist  of  servers  to  which  socket 
connections  are  allowed. 

EnforceLocalSecuritylnActiveXHostA 

PP 

Lets  you  enforce  local  security  rules  for  a  specified 
application. 

FileDownloadDisable 

Lets  you  prevent  the  ActionScript  FileReference  API  from 
performing  file  downloads. 

FileDownloadEnabledDomain 

Allows  the  ActionScript  FileReference  API  to  perform  file 
downloads  from  a  specific  domain  or  IP  address. 

FileUploadDisable 

Lets  you  prevent  the  ActionScript  FileReference  API  from 
performing  file  uploads. 

FileUploadEnabledDomain 

Allows  the  ActionScript  FileReference  API  to  upload  files  to  a 
specific  domain  or  IP  address. 

FullScreenDisable 

Lets  you  disable  SWF  files  playing  via  a  browser  plug-in  from 
being  displayed  in  full-screen  mode. 

LegacyDomainMatching 

LetsyouspecifywhetherSWFfilesproducedforFlashPlayer6 
and  earlier  can  execute  an  operation  that  has  been  restricted 
in  a  newer  version  of  Flash  Player. 

LocalFileLegacyAction 

Letsyou  specify  how  Flash  Playerdetermineswhetherto 
execute  certain  local  SWF  files  that  were  originally  produced 
for  Flash  Player  7  and  earlier. 

LocalFileReadDisable 

Lets  you  prevent  local  SWFfiles  from  having  read  access  to 
files  on  local  hard  drives. 

EnablelnsecureLocalWithFileSystem 

Lets  you  enable  the  loading  of  local  SWF  files. 

LocalStorageLimit 

Lets  you  specify  ahard  limiton  the  amountof  local  storage 
that  Flash  Player  uses  (per  domain)  for  persistent  shared 
objects. 
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Option 

Description 

Overrides  validation  of  the  requirements  needed  to 
implement  GPU  compositing. 

ProductDisabled 

Creates  a  list  of  ProductManager  applications  that  users  are 
not  permitted  to  install  or  launch. 

ProtectedMode 

Enables  the  Protected  mode. 

ProtectedModeBrokerWhitelistConfi 

gFile 

Bypasses  the  prevented  actions  by  creating  a  white  list  of 
allowed  actions  (policies). 

ProtectedModeBrokerLogfilePath 

Specifiesthepathtothelogfilewherepolicyviolationsare 

recorded. 

RTMFPP2PDisable 

Specifies  how  the  NetStream  constructor  connects  to  a  server 
when  avalueisspecifiedforpeerlD,thesecond  parameter 
passed  to  the  constructor. 

RTMFPTURNProxy 

Lets  Flash  Player  make  RTMFP  connections  through  the 
specified  TURN  server  in  addition  to  normal  U  DP  sockets. 

SilentAutoUpdateEnable 

Enables  a  Flash  Player  update  to  install  silently  in  the 
background  with  no  user  interaction. 

SilentAutoUpdateServerDomain 

Enablesyoutohostanddeploy  Flash  Playersilentupdates 
from  an  internal  server. 

SHentAutoUpdateVerboseLogging 

Enables  logging  of  warning  and  error  codes  during  a 
background  update. 

ThirdPartyStorage 

Lets  you  specify  whether  third-party  SWF  files  can  read  and 
write  locally  persistent  shared  objects. 

UseWAVPIayer 

Letsyouconfigure  Flash  PlayertouseWAVAudioforplayback 
instead  of  the  Windows  Core  Audio  APIs. 

NetworkRequestTimeout 

Lets  you  configure  the  Flash  Player  timeout  for  network 
socket  requests  on  the  Windows  platform. 

EnablelnsecureJunctionBehavior 

Allows  Administrators  to  override  the  Flash  Player  1 4  and 
above  default  behavior  of  restricting  write  access  to  paths 
that  traverse  junction  files  in  Windows. 

EnableLocalAppData 

Allows  you  to  force  Flash  Player  to  write  LSOs  to  the 
%LOCALAPPDATA%  folder  instead  of  %APPDATA%. 

DefaultLanguage 

Allows  you  to  set  Flash  Player’s  default  language. 

lECIickToPlay  Blocked 

Provides  domain  black  list  functionality  if  Enablel  EClickToPlay 
has  been  turned  on. 
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Option 

Description 

Enable  Flash  Player  click  to  play  functionality  in  Internet 
Explorer  on  Windows  7  and  below 

lECIickToPlayBypass 

Provides  domain  whitelistfunctionality  if  EnablelECIickToPlay 
has  been  turnedon. 

EventJitterMicroseconds 

Important  mitigation  for  Spectre  and  Meltdown 
(CVE-201 7-5753,  CVE-2017-5715,  CVE-201 7-5754)  style 
attacks. 

TimerJitterMicroseconds 

Important  mitigation  for  Spectre  and  Meltdown 
(CVE-201 7-5753,  CVE-2017-5715,  CVE-201 7-5754)  style 
attacks. 

InsecureJitterDisabledDomain 

Adding  domains  to  this  whitelist  disables  important 
mitigationsforSpectreand  Meltdown  (CVE-201 7-5753, 
CVE-201 7-571 5,  CVE-201 7-5754)  style  attacks,  but  may 
improve  application  performance  in  some  limited 
circumstances. 

EOL  UninstallDisable 

EOLUninstallDisable  =1  allows  system  administrators  to 
disable  uninstall  prompts  by  Flash  Player  scheduled  to 
start  appearing  in  the  second  half  of  2020. 

WhiteListPreview 

When  EnableWhitelist  =  1  requests  matching  patterns  in 
the  white  list  are  allowed,  and  the  rest  are  blocked. 

TraceOutputEcho 

TraceOutputEcho=1  causes  ActionScript  trace 
(msg:String)  statements  to  be  duplicated  in  the  browser’s 
JavaScript  console  using  console.log 

EnableWhitelist 

Allows  system  administrators  to  allow  Flash  Player  to  only 
load  content  from  a  set  of  whitelisted  URLs. 

WhitelistRootMovieOnly 

Only  apply  whitelist  restrictions  to  the  parent  SWF. 
Subsequent  requests  made  from  the  loaded  SWF  to  arbitrary 
URLs  are  allowed. 

WhitelistUrlPattern 

With  EnableWhitelist=1  set,  administrators  can  then  specify  a 
discrete  URL  or  pattern  to  allow. 

This  document  describes  mms.cfg  options  that  let  you  do  the  following: 

•  Control  access  to  camera,  microphone,  and  system  font  information  (see  Privacy  options). 

•  Specify  whetherSWFfiles  playing  in  abrowsercanbedisplayed  infull-screen  mode  (see  Userinter- 
face  option). 

•  Control  access  to  the  local  file  system  (see  Data  loading  and  storage  options). 

•  Specify  settings  for  Flash  Player  auto-update  (see  Update  options). 

•  Specify  adjustments  to  Flash  Player's  default  security  model  (see  Security  options). 

•  Specify  whetherlow-levelsocketconnectionsareallowed  (see  Socket  connection  options). 

•  Override  settings  related  to  GPU  compositing  (see  GPU  Compositing). 


41 


Chapter  4 


Privacy  and  security  settings  (mms.cfg) 
Administration 


•  Specify  settings  related  to  Peer-to-Peerconnections  using  the  RTMFP  protocol  (see  RTMFP 
options). 

•  Protected  mode  settings  related  to  Flash  Player  security  (See  Protected  mode  options). 
Where  a  setting  has  a  default  value,  it  is  displayed  in  bold  type. 
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Privacy  options 

Settings  in  this  category  let  you:  disable  the  use  of  camera  and  microphone  devices  to  capture  video  and 
audio  streams;  and  disable  the  ability  to  viewthe  list  of  system  fonts  installed  on  auser's  computer. 

AVHardwareDisable 

AvHardwareDisable  =  [  0,  1  ]  (0  =  false,  1  =  true) 

If  this  value  is  set  to  1 ,  SWF  files  cannot  access  webcams  or  microphones.  If  this  value  is  0  (the  default), 
the  SettingsManagerorSettingstabslettheuserspecifysettingsforaccesstowebcamsand  micro¬ 
phones.  (See  Privacyoptions.) 

Ifthisvalueissetto  1 ,  theprivacypop-updialog  neverappears.  However,  the  usercanstillaccess  the 
Privacy  tab  and  the  Settings  Manager,  as  well  as  tabs  to  let  them  designate  which  camera  or  microphone 
an  application  can  use.  These  settings  appear  functional,  but  any  choices  the  user  makes  are  ignored. 
Also  the  recording  level  meter  on  the  Microphone  tab  is  disabled,  and  the  Camera  tab  does  not  bring  up 
a  thumbnail  of  what  the  camera  is  seeing. 

NOTE:  In  ActionScript,  an  author  can  query  the  System,  capabilities  .avHardwareDisable  prop¬ 
erty  to  determine  the  value  of  this  setting. 

AVHardwareEnabledDomain 

AVHardwareEnabledDomain  =  domain  name  or  IP  address 

If  the  AvHardwareDisable  value  issetto  1 ,  itprohibitsSWFfilesfrom  accessing  webcamsormicro- 
phones.  The  AVHardwareEnabledDomain  settings  provide  exceptions  to  that  rule.  They  create  a 
“white  list”  of  approved  domain  names  or  IP  addresses  to  which  data  can  be  transmitted  using  a  webcam 
or  microphone.  If  the  active  security  context  is  in  the  list  of  domains  and  IP  addresses  then  camera  and 
microphone  access  will  be  allowed.  Otherwise  it  will  default  to  the  behavior  specified  by  the 
AvHardwareDisable  setting. 

This  value  mustbe  settoastring  containing  afulldomain  name  or  IPaddress.  The  string  value  must 
exactly  match  the  domain  name  or  IP  address  to  beenabled.Stringswithwildcardssuchas*.adobe.com 
or  10.1 .1  .*  are  notsupported.  The  mms.cfg  file  can  contain  multiple  AVHardwareEnabledDomain 
settings  to  allow  access  to  multiple  domains  and  IP  addresses. 

For  example  the  following  settings  only  allow  access  to  cameras  or  microphones  when  connected  to 
servers  with  the  domain  nametest.mydomain.com  orthe  IPaddress  10.1 .1 .10: 

AVHardwareDisable=l 

AVHardwareEnabledDomain=test .mydomain . com 
AVHardwareEnabledDomain=l 0 .1.1.10 

DisableDeviceFontEnumeration 

DisableDeviceFontEnumeration  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Thissetting  controlswhetherthe  Font .  enumerateFonts  ( )  method  in  ActionScript3.0andthe 
Text  Fie  id .  get  Font  List  ()  methodin  ActionScriptl  .0and2.0returnthe!istoffontsinstalledona 
user’ssystem.  If  this  value  is  1 ,  information  on  installed  fonts  cannot  be  returned.  If  this  value  isO  (the 
default),  information  on  installed  fonts  can  be  returned. 
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EnablelnsecureActiveXNavigateToURL 

EnablelnsecureActiveXNavigateTolIRL  =  [0,1]  (0=false,  1=true) 

Allows  Administrators  to  override  the  Flash  Player  32  and  above  behavior  of  more  strictly  enforcing  Same 
Origin  Policy  with  requests  made  from  NavigateToU  RL()  in  the  ActiveX  Flash  Player  for  IE  and  Edge  on 
Windows.  For  the  vast  majority  of  Flash  content,  this  change  should  be  transparent.  Affected  content  will 
generally  be  making  a  request  using  NavigateToURL()  where  the  protocol,  host  and  port  did  not  exactly 
match  and  will  likely  be  leveraging  UNC  paths,  file:///  or  other  Windows-specific  schemes  in  the  destina¬ 
tion.  For  increased  security,  we  recommend  administrators  leave  this  feature  disabled. 

User  interface  option 

The  setting  in  this  category  determines  whether  SWF  files  playing  in  a  browser  can  be  displayed  in 
full-screen  mode. 

FullScreenDisable 

FullScreenDisable  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Availability:  Flash  Player  9.0.28.0. 

This  setting  controls  whether  a  SWF  file  playing  via  a  browser  plug-in  can  be  displayed  in  full-screen 
mode  ;that  is,  taking  upthe  entire  screen  and  thusobscu ring  all  application  windowsand  system 
controls.  Ifyousetthisvalueto  1  ,SWFfilesthatattempttoplayinfull-screenmodefailsilently.  The 
default  value  isO. 

Full-screen  mode  is  implemented  with  a  number  of  security  options  already  built  in,  so  you  might  choose 
to  disable  it  only  in  specific  circumstances.  To  learn  more  about  full-screen  mode,  see 

www.adobe.com/go/fullscreen. 

Data  loading  and  storage  options 

Settings  in  this  category  let  you  do  the  following: 

•  prevent  local  SWF  files  from  reading  local  files 

•  prevent  uploading  and  downloading  of  files  between  remote  servers  and  local  file  systems 

•  limit  (optionally  to  zero)  the  amount  of  local  storage  web  sites  can  use  for  persistent  shared  objects 

•  limit  (optionally  to  zero)  the  size  of  the  asset  cache  (also  called  the  cross-domain  cache) 

•  preventthird-party  SWFfilesfrom  reading  and  writing  locally  persistent  shared  objects 

note:  Disabling  features  may  cause  certain  web  sites  and  applications  to  work  incorrectly.  If  these 
features  are  needed  for  applications  running  in  your  environment,  do  not  disable  them. 

LocalFileReadDisable 

LocalFileReadDisable  =  [  0,  1  ]  (0  =  false,  1  =  true) 
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Setting  this  option  to  1  prevents  local  SWF  files  from  having  read  access  to  files  on  local  hard  drives;  that 
is,  local  SWF  files  can’t  even  run.  In  addition,  remote  SWF  files  are  unable  to  upload  or  download  files. 
The  default  value  is  0. 

If  this  value  is  set  to  1 ,  ActionScript  cannot  read  any  files  referenced  by  a  path  (including  the  first  SWF  file 
that  Flash  Player  opens)  on  the  user’s  hard  disk.  Any  ActionScript  API  that  loads  files  from  the  local  file 
system  is  blocked.  File  upload/download  via  methods  of  the  FileReference  and  FileReferenceList  Action- 
Script  APIs  are  also  blocked  if  this  flag  is  set.  In  addition,  any  values  set  for  FileDownloadDisable  and  File- 
UploadDisable  are  ignored. 

It  is  important  to  remember  that,  except  for  uploading  and  downloading  files,  the  only  SWF  files  that  can 
read  local filesareSWFfilesthatarethemselveslocal. Therefore, youdonotneedtousethisoptionto 
prevent  remote  SWFs  from  reading  local  data;  that  is  always  prevented  anyway. 

If  this  option  is  disabled,  the  ActionScript  methods  FileReference .  browse  ( )  and 
FileReferenceList  .browse  ( )  are  also  disabled. 
note:  In  ActionScript  1 .0  and  2.0,  an  author  can  use  the 

System,  capabilities  .  localFileReadDisable  APItoquerythevalueofthiSSetting. The 
corresponding  ActionScript 3.0  API  iscapabilities  .  localFileReadDisable. 

EnablelnsecureLocalWithFileSystem 

EnablelnsecureLocalWithFileSystem  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Beginning  with  Flash  Player  23,  local-with-network  permissions  will  now  be  applied  to  all  local  SWF 
content,  regardless  of  the  preference  chosen  at  compile  time. 

Background 

When  playing  Flash  (SWF)  contentfrom  local  filesystem,  developers  have  historically  been  able  to 
configurecontentto  exclusively  readfromthefilesystem,orcommunicate  to  the  network.  When  this 
functionality  was  introduced  over  adecade  ago,  it  enabled  an  interesting  array  of  use-cases  ranging  from 
simplegamesto  interactive  kiosks.  Incontext  of  modern  websecurity,webelievethatitistimeto  retire 
local  filesystem  functionality  in  the  browser  plugin.  At  the  same  time,  Adobe  AIR  has  been  established  as 
a  robust,  mature  solution  fordelivering  ActionScript-based  contentasastandalone  application. 

Vast  majority  of  Flash  Playerusersandcontentwill  be  unaffected  bythischange.  This  change  only 
impacts  Flash  content  played  from  the  local  filesystem,  using  the  browser.  Flash  content  hosted  on  the 
internet  and  local  webservers,  as  well  as  the  Standalone  Flash  Player  remains  unaffected.  If  you  are  a 
userwho  requiresthisfunctionality,thesefilescan  be  added  tothe  list ofTrusted  Locations  in  Flash 
Player. 

Workarounds  for  Legacy  Content 

We  highly  recommend  that  you  only  circumvent  these  controls  to  enable  content  from  sources  that  they 
trust. 

For  Individuals: 

1 )  On  the  affected  system,  go  to  the  Flash  Player  Settings  Manager: 

Mac:  System  Preferences  >  Flash  Player 
Windows:  Control  Panel  >  Flash  Player 
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2)  Select  the  Advanced  tab. 

3)  In  the  Developer  Tools  section,  click  the  Trusted  Location  Settings  button. 

4)  Clickthe  "Add. .."button  andaddrelevantfilesandfolderstothelist. 

ForGoogle  Chrome  (and  other  PPAPI  browsers): 

1 )  Navigate  to  the  Settings  Manager  page. 

2)  Choose  Edit  Locations  >  Add  Locations  from  the  popup  list. 

3)  In  the  text  field  that  appears,  type  or  paste  the  file/folder  path  that  you'd  like  to  trust. 

4)  Click  the  "ConfirirT'button. 

note:  Please  beawarethatthe"Browseforfiles"and"Browseforfolder"buttonsdonotfunction  prop¬ 
erly.  You  must  manuallytypeorcopy/pasteyourpath  into  the  textfieldabove  the  buttonstoaddthefile 
or  folder  to  the  trusted  list. 

For  System  Administrators: 

Thelegacybehaviorcanberestored  byapplyingtheEnablelnsecureLocalWithFileSystem=1  flagto 
mms.cfg. 

FileDownloadDisable 

FileDownloadDisable  =  [  0,  1  ]  (0  =  false,  1  =  true) 

If  this  value  is  set  to  1 ,  the  ActionScript  FileReference .  download  ( )  method  is  disabled;  the  user  is 
notpromptedtoallowadownload,andnodownloadsusingtheFileReferenceAPIareallowed.lfthis 
value  issettoO  (thedefault),  Flash  Playerallowsthe  ActionScriptFileRef  erence .  download  ( ) 
method  to  ask  the  user  where  a  file  can  be  downloaded  to,  and  then  Flash  Player  downloads  the  file  after 
the  user  approves  the  file  save  location.  Files  are  never  downloaded  without  user  approval. 

FileDownloadEnabledDomain 

FileDownloadEnabledDomain  =  domain  name  or  IP  address 

Ifthe  FileDownloadDisable  value  issetto  1 ,  itpreventsSWFfilesfrom  downloading  files  using  the 
FileReference  API.  The  FileDownloadEnabledDomain  settings  provide  exceptions  to  that  rule.  They 
create  a  “white  list”  of  approved  domain  names  or  IP  addresses  from  which  files  can  be  downloaded.  If 
the  active  security  context  is  in  the  list  of  domains  and  IP  addresses  then  file  downloads  will  be  allowed. 
Otherwise  itwill  defaulttothe  behavior  specified  by  the  FileDownloadDisable  setting. 

This  value  mustbe  settoastring  containing  afulldomain  name  or  IPaddress.  The  string  value  must 
exactly  match  the  domain  name  or  IP  address  to  beenabled.Stringswithwildcardssuchas*.adobe.com 
or  10.1 .1  .*  are  not  supported.  The  mms.cfg  file  can  contain  multiple  FileDownloadEnabledDomain 
settings  to  allow  downloading  from  multiple  domains  and  IP  addresses. 

For  example  the  following  settings  only  allow  files  to  downloaded  from  servers  at  test.mydomain.com 
and  10.1.1.10: 

FileDownloadDisable=l 

FileDownloadEnabledDomain=test .mydomain . com 
FileDownloadEnabledDomain=10 .1.1.10 

FileUploadDisable 

FileUploadDisable  =  f  0.  1  1  (0  =  false.  1  =  true) 
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If  this  value  is  set  to  1 ,  all  FileReference  .  upload  ( )  ,  FileRef  erence  .  browse  ( )  ,  and 
FileRef erenceList  .browse  ( )  activity  is  disabled;  the  user  is  not  prompted  to  upload  files,  and  no 
uploads  using  the  FileReference  API  are  allowed.  If  this  value  is  set  to  0  (the  default),  Flash  Player  allows 
filesto  be  uploaded  using  the  FileReference  API.  The  userisprompted  to  selectafiletouploadand  to 
approve  the  selection.  Files  are  never  uploaded  without  user  approval. 

FileUploadEnabledDomain 

FileUploadEnabledDomain  =  domain  name  or  IP  address 

If  the  FileUpioadDi  sable  value  is  setto  1 ,  it  prevents  SWFfiles  from  uploading  files  using  the 
FileReference  API.  The  FileUploadEnabledDomain  settings  provide  exceptions  to  that  rule.  They 
createa“whitelist”ofapproveddomainnamesorlPaddressestowhichfilescan  be  uploaded.  If  the 
active  security  context  is  in  the  list  of  domains  and  IP  addresses  then  file  uploads  will  be  allowed.  Other¬ 
wise  it  will  defaulttothe  behavior  specified  by  the  FileUpioadDisabie  setting. 

This  value  mustbe  settoastring  containing  afulldomain  name  or  IPaddress.  The  string  value  must 
exactlymatchthedomainnameorlPaddresstobeenabled.Stringswithwildcardssuchas*.adobe.com 
or  10.1 .1  .*  are  not  supported.  The  mms.cfg  file  can  contain  multiple  FileDownioadEnabiedDomain 
settings  to  allow  uploading  to  multiple  domains  and  IP  addresses. 

For  example  the  following  settings  only  allow  files  to  be  uploaded  to  servers  at  test.mydomain.com  and 
10.1.1.10: 

FileDownloadDisable=l 

FileDownloadEnabledDomain=test .mydomain . com 
FileDownloadEnabledDomain=10 .1.1.10 
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LocalStorageLimit 

LocalStorageLimit  =  [  1,  2,  3,  4,  5,  6  ]  (1  =  no  storage,  2  =  10  KB,  3  = 
100  KB,  4=1  MB,  5  =  10  MB,  6  =  user  specifies  upper  limit) 

ThisvaluespecifiesahardlimitontheamountoflocalstoragethatFlashPiayeruses(perdomain)for 
persistent  shared  objects.  The  user  can  use  the  Settings  Manager  or  Local  Storage  Settings  dialog  box  to 
specify  local  storage  limits  (see  Localstorageoptions).  If  no  value  is  set  here  and  the  user  doesn’t  specify 
storage  limits,  thedefault  limitis  100  KBperdomain.  If  this  value  issetto  6  (the  default),  the  userspec- 
ifies  the  storage  limits  for  each  domain. 

If  LocalStorageLimit  is  set,  the  Local  Storage  tab  shows  the  limit  specified,  and  the  user  can  use  this  tab 
as  if  the  limit  does  not  exist.  If  the  user  sets  more  restrictive  settings  than  the  value  set  by  LocalStorage¬ 
Limit,  they  are  honored  (anddisplayedthenexttimetheSettingsdialogboxisloaded).  However,  ifthe 
userselectssettings  higherthan  the  limitsetby  LocalStorageLimit,  theuser’ssettingsare  ignored. 

The  local  file  storage  limit  is  best  obtained  from  the  Settings  dialog  box,  because  this  security  setting  is 
just  a  maximum  value,  and  the  user  may  have  set  a  lower  limit. 

ThirdPartyStorage 

ThirdPartyStorage  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Third  party  refers  to  SWF  files  that  are  executing  within  a  browser  and  have  an  originating  domain  that 
does  not  match  the  URL  displayed  in  the  browser  window. 

Ifthisvalueissetto  1 ,  third-party  SWFfilescan  read  andwritelocallypersistentsharedobjects.lfthis 
value  is  set  to  0,  third-party  SWF  files  cannot  read  or  write  locally  persistent  shared  objects. 

Thissetting  does  nothaveadefaultvalue.  If  itisnotincluded  inthemms.cfgfile,theSettings  Manager 
orLocal Storage  Settingsdialogboxletstheuserspecifywhethertopermitlocallypersistentshared 
objects.  Ifthe  user  doesn’t  make  any  changes,  the  default  is  to  permit  shared  objects. 

AssetCacheSize 

Availability:  Flash  Player  9.0.1 15.0 

AssetCacheSize  =  [  0,  number  of  megabytes  ] 
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This  value  specifies  a  hard  limit,  in  MB,  on  the  amountof  local  storage  that  Flash  Playerusesforthe 
storage  ofcommon  Flash  components.  Ifthisoption  is  notincluded  in  the  mms.cfg  file,  the  Settings 
Manager  lets  the  user  specify  whether  to  permit  component  storage.  However,  the  user  can’t  specify 
how  much  local  storage  space  to  use.  The  default  limit  is  20  MB. 

Setting  this  value  to  0  disables  component  storage,  and  any  components  that  have  already  been  down¬ 
loaded  are  purged  the  next  time  Flash  Player  runs. 

Update  options 

Flash  Player  supports  software  updates  by  periodically  checking  for  new  versions  of  the  player  on  the 
adobe.com  site.  Settings  in  this  category  let  you  configure  the  auto-update  mechanism  used  by  Flash 
Player.  You  can  increase  or  decrease  the  frequency  of  checksfor  newer  versions,  enable  background 
updates,  or  disable  auto-update  entirely. 

Windows  and  Macintosh  platforms  support  an  auto-update  called  a  notification  update.  A  notification 
update  isananonymouscheckthatisonly  performed  when  the  playerisloadedto  view  Flash  content, 
typically  in  the  browser.  By  default,  itonly  occurs  if  it  has  been  at  least  seven  days  since  the  lasttime  it 
checked  for  updates.  Flash  Player  never  runs  in  the  background  to  perform  the  notification  update  check. 

In  a  notification  update,  adialogboxannouncestheavailabilityofthe  update  to  the  usertoletthe  user 
eitheraccept,  postpone,  or  rejectthe  update.  Ifthe  useracceptsthe  update,  the  newinstalierisdown- 
loaded  and  run. 

On  Microsoft  Windows  and  Macintosh,  Flash  Player  supports  a  background  update  that  installs  the 
update  silently  in  the  background,  without  any  user  interaction.  A  background  update  installs  both  the 
ActiveX  and  plug-in  players  when  appropriate. 

Update  settings  can  be  configured  by  users  with  admin  rights.  Admin  users  can  set  the  frequency  of  the 
checks,  disable  notification  updates,  or  disable  background  updates  by  using  the  Flash  Player  Settings 
Manager.  For  more  information,  see  Updateoptions. 

If  you  want  to  enforce  standardized  update  settings  for  all  users,  you  can  use  the  mms.cfg  options 
discussed  in  this  section.  Also,  ensure  that  those  users  who  should  not  be  allowed  to  change  these 
settings  are  configured  as  standard  users  and  do  not  have  admin  rights. 

AutollpdateDisable 

AutoUpdateDisable  =  [  0,  1  ]  (0  =  false,  1  =  true) 

If  this  value  is  settoO  (the  default),  Flash  Player  lets  a  user  with  admin  rights  enable  or  disable  all  updates 
for  all  accounts  on  the  machine  in  the  Settings  Manager. 

If  this  value  is  set  to  1 ,  Flash  Player  disables  all  updates. 

NOTE:  If  this  value  is  set  to  1 ,  the  AutoUpdatelnterval,  Di sableProductDownload, 
Product  Disabled,  and  silentAutoUpdateEnabie  options  in  this  section  are  ignored,  disabling 
all  non-manual  updates  on  the  system. 

AutoUpdatelnterval 

AutoUpdatelnterval  =  [  number  of  days] 
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If  this  is  a  negative  value  (the  default),  Flash  Player  uses  the  notification  update  interval  value  specified 
in  the  Settings  Manager.  (If  users  don't  make  any  changes  with  the  Settings  Manager,  the  default  is  every 
7days.)lfthisvalueissetto0,  Flash  Playerchecksforan  update  every  time  itstarts.  Ifthisisapositive 
value,  the  value  specifies  the  minimum  number  of  days  between  update  checks. 

This  applies  to  Windows  ActiveX  and  NPAPI  plug-in,  and  Mac  NPAPI  and  PPAPI  plug-ins.  Windows  PPAPI 
usesaTaskScheduleritem  tocheckforan  update  anddoesnot  utilizethissetting  in  the  mms.cfgfile. 

This  setting  modifies  the  notification  update  check  frequency  used  to  announce  an  update  is  available 
via  a  notification  pop-up  window.  It  is  NOT  used  to  modify  the  background  update  check  frequency.  Do 
NOT  use  this  setting  if  the  intend  is  to  use  Background  Updates  to  update  the  client  systems. 

DisableProductDownload 

DisableProductDownload  =  [  0,  1  ]  (0  =  false,  1  =  true) 

lfthisvalueissettoO(thedefault),FlashPlayercaninstallnativecodeapplicationsthatare  digitally 
signed  and  delivered  by  Adobe.  Adobe  uses  this  capability  to  deliver  Flash  Player  updates  through  the 
developer-initiated  Express  Install  process,  and  to  deliver  the  Adobe  Acrobat  Connect  screen-sharing 
functionality.  If  this  value  is  set  to  1 ,  these  capabilities  are  disabled. 

However,  if  you  wantto  enable  some  but  not  all  product  downloads,  setthis  value  to  0(oromit  it)  and 
then  use  the  ProductDisabled  option  to  specify  which  product  downloads  are  notpermitted. 

ProductDisabled 

ProductDisabled  =  application  name 

Availability:  Flash  Player  10.0.2 

This  option  iseffective  only  when  DisableProductDownload  hasa  value  of  0  or  is  not  present  in  the 
mms.cfg  file;  itcreatesalist  of  ProductManagerapplicationsthatusersare  not  permitted  to  install  or 
launch.  Unlike  most  other  mms.cfg  options,  you  can  use  this  option  as  many  times  as  is  appropriate  for 
your  environment. 

SilentAutollpdateEnable 

SilentAutoUpdateEnable  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Availability:  Flash  Player  1 1 .2  for  Microsoft  Windows,  and  Flash  Player  1 1 .3  for  Macintosh 

Enables  a  Flash  Player  update  to  install  silently  in  the  background  with  no  user  interaction. 

-  On  Windows:  InstallstheActiveXControl,  NPAPI  plugin,  and  PPAPI  plugin  when  appropriate. 

•  On  Mac:  Installs  NPAPI  plugin  and  PPAPI  plugin  when  appropriate. 

This  type  of  update  is  called  a  Flash  Player  background  update. 

Standard  users  cannot  disable  background  updates  if  they  are  enabled  by  an  administrator. 

Enabling  silent  auto  updates  (background  updates)  does  not  disable  notification  updates  and  users  may 
still  receive  notifications  to  update  Flash  Player,  instead  ofthe  update  occurring  silently,  in  the  back¬ 
ground. 
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Depending  on  thetypeof  browser,  ifthe  userhasabrowseropenatthe  time  ofan  update,  the  browser 
might  not  use  the  updated  player  immediately.  For  more  information,  see  Performingabackgroundup- 
date. 

The  default  value  is  0  to  disable  background  updates. 

SilentAutollpdateServerDomain 

SilentAutoUpdateServerDomain  =  yourDomain 

Availability:  Flash  Player  1 1 .2  for  Microsoft  Windows 

Enables  you  to  host  and  deploy  Flash  Player  background  updates  from  an  internal  server.  For  more  infor¬ 
mation,  see  Backgroundupdatesfromaninternalserver.  When  hosting  background  updates  internally, 
Notification  Updates  are  disabled. 

SilentAutoUpdateVerboseLogging 

SilentAutoUpdateVerboseLogging  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Availability:  Flash  Player  1 1 .2  for  Microsoft  Windows,  and  Flash  Player  1 1 .3  for  Macintosh 

Enables  logging  of  warning  and  error  codes  to  Flashlnstall.log  during  a  background  update.  The  location 
of  the  Flashlnstall.log  file  depends  on  your  platform.  For  more  information,  see  Playerfilesandlocations. 

The  default  value  is  0  to  disable  logging. 

Security  options 

These  options  let  you  modify  the  default  Flash  Player  security  model.  For  more  information  on  the  secu¬ 
rity  model,  seeSecurityconsiderations. 

LegacyDomainMatching 

LegacyDomainMatching  =  [  0,  1  ]  (0  =  false,  1  =  true) 

This  setting  controls  whether  to  allow  a  SWF  file  produced  for  Flash  Player  6  and  earlier  to  execute  an 
operation  that  has  been  restricted  in  a  newer  version  of  Flash  Player. 

Flash  Player  6  made  security  sandbox  distinctions  based  on  superdomains.  For  example,  SWFfiles  from 
www.example.com  and  store.example.com  were  placed  in  the  same  sandbox.  Flash  Player  7  and  later 
havemadesecuritysandboxdistinctionsbasedonexactdomains,so,forexample,aSWFfilefrom 
www.example.comisplacedinadifferentsandboxthanaSWFfilefromstore.example.com.The 
exact-domain  behavior  is  more  secure,  but  occasionally  users  may  encounter  a  set  of  cooperating  SWF 
files  that  were  created  when  the  older  superdomain  rules  were  in  effect,  and  require  the  superdomain 
rules  to  workcorrectly. 

Whenthisoccurs,bydefault,  Flash  Playershowsadialogboxaskinguserswhetherto  allowordeny 
access  between  the  two  domains.  Users  may  configure  a  permanent  answer  to  this  question  by  selecting 
Never  Ask  Again  in  the  dialog,  or  by  visiting  the  Settings  Manager.  The  LegacyDomainMatching  setting 
lets  you  override  users'  decisions  about  this  situation. 
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This  setting  does  not  have  a  default  value.  If  it  is  not  included  in  the  mms.cfg  file,  the  user  can  determine 
whether  to  allow  the  operation  in  a  global  manner  (using  the  Settings  Manager),  or  on  a  case-by-case 
basis  (using  an  interactive  dialog  box).  The  values  the  user  can  choose  among  are  “Ask,”  “Allow,”  and 
“Deny.”  The  default  value  is  “Ask”. 

If  this  value  is  setto  1 ,  Flash  Player  behaves  as  though  the  user  answers  “allow”  whenever  they  make  this 
decision.  If  it  is  set  to  0,  Flash  Player  behaves  as  though  the  user  answers  “deny”  whenever  they  make 
this  decision. 

LocalFileLegacyAction 

LocalFileLegacyAction  =  [  0,  1  ]  (0=false,  l=true) 

This  setting  controls  how  Flash  Player  determines  whether  to  execute  certain  local  SWF  files  that  were 
originally  produced  for  Flash  Player  7  and  earlier. 

Flash  Player  7  and  earlier  placed  all  local  SWFfiles  in  the  local-trusted  sandbox.  Flash  Player  8  and  later 
have,  by  default,  placed  local  SWFfilesineitherthelocal-with-filesystemorlocal-with-networking 
sandbox.  InorderforaSWFfileto  be  placedinthelocal-trustedsandboxin  Flash  Player8orlater,  that 
SWF  file  must  be  designated  trusted,  using  either  the  Settings  Manager  or  a  trust  configuration  file.  This 
latter  behavior  is  more  secure,  but  occasionally  users  may  encounter  an  older  local  SWF  file  that  was 
created  when  the  older  local-trusted  behavior  was  in  effect,  and  must  be  in  the  local-trusted  sandbox  in 
order  to  work  correctly.  Users  are  notified  of  such  situations  by  a  dialog  box,  but  the  dialog  is  only  a 
failure  notification,  not  a  means  to  trust  the  SWF  file  in  question. 

Users  can  restore  thefunctionality  of  such  SWFfiles  on  acase-by-case  basis  by  designating  them  trusted 
in  the  Settings  Manager,  butif  usersencounteralargenumberof  such  files,  they  may  also  electin  the 
Settings  Manager  to  place  all  local  SWF  files  published  for  Flash  Player  7  or  earlier  into  the  local-trusted 
sandbox.  The  LocalFileLegacyAction  setting  lets  you  override  users'  decisions  aboutthis  situation. 

This  setting  does  nothaveadefaultvalue.  If  it  is  not  included  in  the  mms.cfg  file,  the  usercan  use  the 
Settings  Manager  to  specify  whether  to  place  all  older  local  SWF  files  into  the  local-trusted  sandbox. 

If  this  value  is  setto  1  (the  most  permissive  setting),  Flash  Player  behaves  as  though  users  had  elected  to 
place  allolderlocalSWFfilesinto  the  local-trusted  sandbox.  Ifthisvalue  issettoO  (the  mostrestrictive 
setting),  Flash  Player  behaves  as  though  users  had  elected  never  to  automatically  place  older  local  SWF 
files  into  the  local-trusted  sandbox,  and  also  suppresses  the  failure  notification  dialog. 

AllowUserLocalT  rust 

This  setting  letsyoupreventusers  from  designating  anyfileson  local  filesystemsastrusted(thatis, 
placing  them  into  the  local-trusted  sandbox).  This  setting  applies  to  SWF  files  published  for  any  version 
of  Flash. 

AllowUserLocalTrust  =  [  0,  1  ]  (0=false,  l=true) 

Ifthisvalueissetto  1  (the  default),  Flash  Playerallowstheuserto  specify  whether  local  files  can  be 
placed  into  the  local-trusted  sandbox,  through  the  use  of  the  Settings  Manager  Global  Security  Settings 
panel  and  user  trust  files.  Ifthisvalue  issettoO,  the  user  cannot  place  files  into  the  local-trusted  sandbox. 
That  is,  the  Settings  Manager  Global  Security  Settings  panel  and  user  trustfiles  are  ignored. 
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EnforceLocalSecuritylnActiveXHostApp 

Enf orceLocalSecuritylnActiveXHostApp  =  "executable  filename" 

Availability:  Flash  Player  9 

By  default,  local  security  is  disabled  whenever  the  ActiveX  control  is  running  in  a  non-browser  host  appli¬ 
cation.  In  rare  cases  when  this  causes  a  problem,  you  can  use  this  setting  to  enforce  local  security  rules 
for  the  specified  application.  You  can  enforce  local  security  for  multiple  applications  by  entering  a  sepa¬ 
rate  Enf  orceLocaiSecurityinActiveXHostApp  entry  for  each  application. 

The  filename  string  must  specify  the  executable  filename  only,  not  the  full  path  to  the  executable;  if  you 
specify  a  full  path,  the  setting  is  ignored.  You  can  optionally  include  the  EXE  (Windows)  or  APP  (Macin- 
tosh)fileextension.  Onthe  Macintosh, youcanspecify  eitherthe  name  oftheactualexecutableorthe 
name  of  an  application  bundle  within  which  the  executable  is  located. 

The  text  encoding  of  mms.cfg  is  significant  when  specified  filenames  include  non-ASCII  characters;  see 

Character  encoding. 

FullScreenlnteractiveDisable 

FullScreenlnteractiveDisable  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Availability:  Flash  Player  1 1 .3 

IfthisvalueissettoO  (the  default),  applicationscanenablefull-screen  with  textinput  mode  (known  as 
full-screen  interactive  mode).  To  use  full-screen  interactive  mode,  an  application  must  prompt  the  user 
forakey-pressormouse-clicktoenterthe  mode.  Once  infull-screen  interactive  mode,  Flash  Player 
displaysan  overlay  thatindicates  itisin  full-screen  interactive  mode,  thedomainofthecurrentpage, 
and  an  Allow  button.  The  overlay  continuously  displays  until  the  user  presses  Allow.  Full-screen  interac¬ 
tive  mode  is  intended  for  use  by  full-screen  games  that  require  text  and  keyboard  input. 

In  past  releases,  this  feature  was  available  in  AIR  applications  only. 

DisableNetworkAndFilesystemlnHostApp 

DisableNetworkAndFilesystemlnHostApp  =  "executable  filename" 

Availability:  Flash  Player  9 

This  option  is  similar  to  EnforceLocalSecuritylnActiveXHostApp,  but  applies  to  plug-ins  as  well  as  the 
ActiveXcontrol,  and  imposesstrictersecurity  controls.  When  aplug-in  or  ActiveXcontrol  is  running 
within  an  application  specified,  it  will  be  as  though  the  HTML  parameter  aiiowNetworking="none" 
had  been  specified.  Thatis,  no  networking  orfilesystemaccessof  any  kind  will  be  permitted,  and  the 
SWF  running  in  the  Flash  Player  will  run  without  the  ability  to  load  any  additional  media  or  communicate 
with  any  servers.  You  can  enforce  local  security  for  multiple  applications  by  entering  a  separate 
DisableNetworkAndFilesystemlnHostApp  entry  for  each  application. 

The  filename  string  must  specify  the  executable  filename  only,  not  the  full  path  to  the  executable;  if  you 
specify  a  full  path,  the  setting  is  ignored.  You  can  optionally  include  the  EXE  (Windows)  or  APP  (Macin¬ 
tosh)  extension.  On  the  Macintosh,  you  can  specify  eitherthe  name  of  the  actual  executable  or  the  name 
of  an  application  bundle  within  which  the  executable  is  located. 
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The  text  encoding  of  mms.cfg  is  significant  when  specified  filenames  include  non-ASCII  characters;  see 

Character  encoding. 

Socket  connection  options 

These  settings  determine  whether  socket  connections  using  the  ActionScript  Socket  and  XM  LSocket 
classes  are  permitted.  Socket  connections  also  require  the  presence  of  a  socket  policy  file  on  the  target 
server;  for  more  information,  see  Dataloadingthroughdifferentdomains. 

DisableSockets 

DisableSockets  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Availability:  Flash  Player  9.0.1 15.0 

This  option  enables  or  disables  the  use  of  the  socket .  connect  o  andxMLSocket .  connect  o 
methods.  Ifyou  don’tincludethisoption  in  the  mms.cfg  file,  orifitsvalueissettoO,  socket  connections 
are  permittedtoany  server.  Ifthis  value  issetto  1  ,nosocketconnectionsareallowed.  However,  ifyou 
want  to  disable  some  but  not  all  socket  connections,  set  this  value  to  1  and  then  use  EnableSocketsT o  to 
specify  one  or  more  servers  to  which  socket  connections  can  be  made. 

EnablelnsecureActiveXMHTMLSupport 

EnablelnsecureActiveXMHTMLSupport  =  [0,  1]  (0  =  false,  1  =  true) 

This  setting  allows  Administrators  to  override  the  Flash  Player  32  and  above  behavior  of  restricting  the 
ability  for  Flash  Playerto  launch  when  loaded  from  an  MHTML  (.mhtml  or  .mhtm)  document.  We  recom¬ 
mend  that  administrators  leave  this  feature  disabled. 

EnablelnsecureByteArrayShareable 

EnablelnsecureByteArrayShareable  =  [0,1]  (0=false,  l=true) 

This  setting  will  allow  Administrators  to  override  the  Flash  Player30andabovedefaultbehaviorof 
restricting  the  shareable  property  of  the  ActionScript  ByteArrayAPI  class.  Shared  ByteArraysareusedto 
share  data  between  threads  with  ActionScript  "Workers."  Shared  ByteArrays  are  an  advanced  feature  of 
the  ActionScript  API  setandnotcommonly  used  in  the  vast  majority  of  published  Flash  content.  For 
increased  security,  we  recommend  administrators  leave  this  feature  disabled. 

EnablelnsecureByteArrayShareableDomain 

EnablelnsecureByteArrayShareableDomain  =  domain  name  or  IP  address 

By  default,  Flash  Player  30  and  above  will  no  longer  allow  the  shareable  property  of  the  ActionScriptByte- 
Array  API  class.  The  EnablelnsecureByteArrayShareableDomain  settings  provide  exceptions  to  that  rule. 
Administrators  can  create  a  "white  list"  of  approved  domain  names  or  IP  addresses  to  which  the 
Enablelnsecu  reByteArrayShareable  setti  ng  will  apply.  If  the  active  security  context  is  i  n  the  list  of 
domains  and  IP  addresses,  then  access  to  the  sharable  ByteArray  property  will  be  allowed.  Otherwise, 
sharable  ByteArray  access  will  be  denied. 
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For  domain  names,  prefixing  a  *  wildcard  is  allowed.  For  example,  *. adobe. com  would  allow  all  Flash 
content  with  the  "shareable"  property  to  run  on  www.adobe.com, get.adobe.com,  helpx.adobe.com, 
and  so  on.  Wildcards  are  not  allowed  when  specifying  IP  addresses. 

For  example,  the  following  settings  only  allow  SWFs  using  the  shareable  ByteArray  property  to  servers  at 
test.mydomain.com  and  10.1.1.10: 

EnableInsecureByteArrayShareableDomain=test . my domain . comEnablelnsecureBy 
teArrayShareableDomain=10 .1.1.10 

EnableSocketsTo 

EnableSocketsTo  =  [  host  name,  IP  address  ] 

Availability:  Flash  Player  9.0.1 15.0 

ThisoptioniseffectiveonlywhenDisabieSocketshasavalueofl  ;itcreatesawhitelistofserversto 
which  socket  connections  are  allowed.  Unlike  most  other  mms.cfg  options,  you  can  use  this  option  as 
many  times  as  is  appropriate  for  your  environment.  Note  that  the  servers  specified  are  target  servers,  to 
which  socket  connections  are  made;  they  are  not  origin  servers,  from  which  the  connecting  SWFfiles  are 
served. 

Thevaluesspecified  here  must  exactly  matchthevaluesspecifiedintheActionScriptconnect  () 
methods.  lfyouspecifyanlPaddresshere,butthe  connect  o  method  specifies  ahost  name,  the 
method  fails  even  if  that  host  name  resolves  to  the  specified  IP  address.  Similarly,  if  you  specify  a  host 
name  here  but  the  connect  ( )  method  specifies  an  IP  address,  the  method  fails. 

Using  thisoption  does  nottake  the  place  ofasocketpolicyfileonthetargetserver.Thatis,thisoption 
has  no  effect  if  the  specified  server  does  not  have  a  socket  policy  file. 

GPU  Compositing 

Flash  Player  rendering  can  use  the  graphics  processor  unit  (GPU)  on  the  video  card  to  accelerate  image 
compositing.  In  certain  circumstances,  Flash  Playerdisables  GPU  compositing.  The  option  in  this  section 
lets  you  override  this  action  and  enable  GPU  compositing. 

OverrideGPUValidation 

OverrideGPUValidation=  [  0,  1  ]  (0  =  false,  1  =  true) 

Availability:  Flash  Player  10.0.2 

The  GPU  compositing  feature  is  gated  by  the  driver  version  for  video  cards.  If  a  card  and  driver  combina¬ 
tion  does  not  match  the  requirements  needed  to  implement  compositing,  set  OverrideGPUValidation  to 
1  to  override  validation  of  the  driver  requirements.  Forexample,  you  mightwantGPU  compositing 
enabled  during  a  specific  test  suite,  even  if  the  video  driver  in  the  test  machine  doesn’t  meet  compositing 
requirements.  This  setting  overridesdriverversion  gating  butstill  checks  for  VRAM  requirements. 

Adobe  recommends  that  you  use  this  setting  with  care.  Overriding  GPU  validation  can  result  in  rendering 
problems  or  system  crashes  due  to  driver  issues.  After  completing  the  tests  or  programming  tasks  that 
require  the  use  of  this  setting,  consider  setting  it  backtoO  (or  removing  itfrom  the  mms.cfg  file)  for 
normal  operations. 
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RTMFP  options 

The  mms.cfg  options  described  in  thissectionletyou  specify  settings  related  to  peer-to-peer  (P2P) 
connections  and  the  Real  Time  Media  Flow  Protocol  (RTMFP).  For  more  information  about  RTMFP,  see 

the  FAQ  atwww.adobe.com/go/rtmfp_faq. 

RTMFPP2PDisable 

RTMFPP2PDisable=  [  0,  1  ]  (0  =  false,  1  =  true) 

Availability:  Flash  Player  10.0.2 

This  option  specifies  how  the  NetStream  constructor  connects  to  a  server  when  a  value  is  specified  for 
peerlD,  the  second  parameter  passed  to  the  constructor.  If  RTMFPP2PDisable  has  a  value  of  0  or  is  not 
present  in  the  mms.cfg  file,  a  peer-to-peer  (P2P)  connection  can  be  used.  If  this  value  is  1 ,  any  value  spec- 
ifiedfor  peerlD  isignored  and  P2P  connectionsaredisabled;  NetStream  objects  can  connect  only  to  Flash 
Media  Server. 

RTMFPTURNProxy 

RTMFPTURNProxy  =  URL  of  TURN  proxy  server 

Availability:  Flash  Player  10.0.2 

If  this  option  is  present,  Flash  Player  attempts  to  make  RTMFP  connections  through  the  specified  TURN 
server  in  addition  to  normal  UDP  sockets.  TURN  Servers  are  useful  for  conveying  RTMFP  network  traffic 
through  firewalls  that  otherwise  block  UDP  packets. 

Protected  mode  options 

Flash  Player  Protected  mode  isa  new  security  enhancementdesigned  to  limittheimpactof  attacks 
launched  frommaliciousSWFfilesagainstFlash  Player.  In  the  Protected  mode,  SWFsarerenderedusing 
a  sandboxed  Flash  Player  runtime. 

note:  The  Protected  mode  is  available  with  Flash  Player  in  Firefox  4.0  or  later  on  Windows  Vista  and 
Windows  7. 

On  Windows  Vista  and  Windows  7,  the  Protected  mode  is  enabled  by  default.  Flowever,  you  can  disable 
it  using  the  appropriate  option  in  the  mms .  cf  g. 

Protected  Mode 

ProtectedMode  =  [0,  1]  (0  =  off,  1  =  on) 

Availability:  Flash  Player  1 1 .3 

This  option  specifies  whether  the  protected  mode  is  enabled.  If  enabled,  on  Windows  Vista  and  later, 
SWFsare  rendered  in  Firefox  4.0  or  later  using  a  sandboxed  Flash  Player  runtime. 

ProtectedModeBrokerWhitelistConfigFile 

ProtectedModeBrokerWhitelistConf igFile  =  [0,  1]  (0  =  false,  1  =  true) 
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Availability:  Flash  Player  1 1 .3 

Protected  mode  preventsanumberof  actionsthatcan  be  bypassed  by  creating  awhite  list  of  allowed 
actions  (policies).  The  component  that  performs  the  actions  based  on  the  policies  is  called  a  “broker.”  If 
a  properly  configured  policy  file  is  provided,  the  broker  can  bypass  the  application’s  default  restrictions. 

If  this  option  is  set  to  true,  provide  a  policy  file. 

Ensure  the  following  if  you  want  to  provide  a  policy  file: 

•  Name  the  policy  file  as  ProtectedModeWhitelistConf  ig  .  txt . 

•  Provide  policy  file  in  the  Flash  directory: 

-  32-bit  Windows  -  %WINDIR%\System32\Macromed\Flash 

-  64-bit  Windows  -  %WINDIR%\SysWow64\Macromed\Flash 

ProtectedModeBrokerLogfilePath 

ProtectedModeBrokerLogf ilePath  =  path  to  the  log  file 

Availability:  Flash  Player  1 1 .3 

Specifies  the  path  to  the  log  file  to  record  the  policy  file  violations.  If  a  path  is  not  provided,  no  file  is 
created.  Thisoptionisapplicable  only  if  ProtectedModeBrokerWhi  tel  is  tConfigFileiSSettO 
true. 

Hardware  Options 

The  options  in  this  category  let  you  select  appropriate  settings  for  your  computer  hardware. 

DisableHardwareAcceleration 

DisableHardwareAcceleration  =  [0,  1]  (0  =  false,  1  =  true) 

Ifthisoption  issetto  1 ,  hardware  acceleration  isdisabled.  You  can  usethisoptionifyoususpectthat 
hardware  acceleration  is  causing  your  system  to  become  unstable. 

Audio  Options 

The  options  in  this  category  let  you  select  audio  settings  for  your  computer. 

UseWAVPIayer 

UseWAVPlayer  =  [0,  1]  (0  =  false,  1  =  true) 

Ifthisoption  issetto  1 ,  Flash  Player  will  use  WAV  Audio  for  playback  instead  of  the  Windows  Core  Audio 
APIs. Use  this  option  if  you  face  audio  playback  problems  in  Flash  Playeron  Windows  7or  higher. 

NetworkRequestTimeout 

NetworkRequestTimeout  =  [1-30]  (configurable  from  1  to  30  seconds,  default 
=  5) 
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Availability:  Flash  Player  14 

Ifyouencounterdelaysloadingwebcontentduetosloworblockednetworkaccess,  reducing  this 
number  allows  Flash  Player  to  shorten  the  time  it  waits  for  a  network  response  and  possibly  improve 
page  responsiveness. 

If  the  Flash  content  requires  additional  time  before  the  server  responds,  increasing  this  value  will  extend 
the  period  before  Flash  Player  gives  up  on  the  network  request. 

EnablelnsecureJunctionBehavior 

Enablelnsecure JunctionBehavior  =  [0,1]  (0=true,  l=false) 

This  setting  will  allow  Administrators  to  override  the  Flash  Player  1 4  and  above  default  behavior  of 
restricting  write  access  to  paths  thattraverse  junction  files  in  Windows.  Thisflag  will  only  workin 
Internet  Explorer  with  Protected  Mode  disabled. 

We  recommend  that  Administrators  use  this  flag  as  a  short  term  workaround  and  instead  focus  on  a  solu¬ 
tion  where  the  user’s  appdata  folder  remains  in  the  local  user  profile  folder. 

EnableLocalAppData 

EnableLocalAppData=  [  0,  1  ]  (0  =  false,  1  =  true  ) 

If  this  value  is  set  to  1 ,  Flash  Player’s  LSO  location  will  be  changed  from  %APPDATA%  to  %LOCALAP- 
PDATA%.This  option  will  provide  relief  to  administrators  who  have  chosen  to  store  their  users' 
%APPDATA%  folders  on  a  network  volume  but  do  not  want  Flash  Player  data  impacted  (by  both  security 
and  performance  issues)  by  also  being  locatedon  the  networkvolume.  If  an  admin  enablesthis  new 
MMS  property,  Flash  data  will  always  be  written  on  the  local  system. 

DefaultLanguage 

Def aultLanguage  =  language  name  from  chart  below 

This  property  allows  the  user  or  admin  to  override  Flash  Player's  default  language  by  specifying  one  of 
the  languages  in  the  table  below. 


Language 

Value 

Win 

Mac 

PPAPI 

Arabic 

ar 

Y 

Y 

N 

Bulgarian 

bg 

Y 

Y 

N 

Czech 

cs 

Y 

Y 

Y 

Danish 

da 

Y 

Y 

N 

German 

de 

Y 

Y 

Y 

Greek 

el 

Y 

Y 

N 

English 

en 

Y 

Y 

Y 
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Language 

Value 

Win 

Mac 

PPAPI 

English  -  United 
Kingdom 

en_gb 

Y 

Y 

N 

Spanish 

es 

Y 

Y 

Y 

Estonian 

et 

Y 

Y 

N 

Finnish 

fi 

Y 

Y 

N 

French 

fr 

Y 

Y 

Y 

Hebrew 

he 

Y 

Y 

N 

Croatian 

hr 

Y 

Y 

N 

Hungarian 

hu 

Y 

Y 

N 

Italian 

it 

Y 

Y 

Y 

Japanese 

ja 

Y 

Y 

Y 

Korean 

ko 

Y 

Y 

Y 

Azeri 

It 

Y 

Y 

N 

Latvian 

Iv 

Y 

Y 

N 

Norwegian 

nb 

Y 

Y 

N 

Dutch 

nl 

Y 

Y 

Y 

Polish 

Pi 

Y 

Y 

Y 

Portuguese 

Pt 

Y 

Y 

Y 

Portuguese  - 
Portugal 

Pt_pt 

Y 

Y 

N 

Romanian 

ro 

Y 

Y 

N 

Russian 

ru 

Y 

Y 

Y 

Slovak 

sk 

Y 

Y 

N 

Slovenian 

si 

Y 

Y 

N 

Serbian 

sr 

Y 

Y 

N 

Swedish 

sv 

Y 

Y 

Y 

Thai 

th 

Y 

Y 

N 

Turkish 

tr 

Y 

Y 

Y 

Ukrainian 

uk 

Y 

Y 

N 
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Language 

Value 

Win 

Mac 

PPAPI 

Chinese  -  China 

zh-CN 

Y 

Y 

Y 

Chinese  -  Taiwan 

zh-TW 

Y 

Y 

Y 

IEClickToPlayBlocked 


IEClickToPlayBlocked  =  domain  name  or  IP  address 

This  option  is  effective  only  when  EnablelECIickToPlay  has  a  value  of  1 ;  it  creates  a  blacklist  of  servers  to 
which  all  Flashcontenthostedontheserverwillnotplay.  If  blacklisted,  the  userwillnotbe  presented 
with  aplay  button  andthecontentwill  not  render.  Unlike  most  other  mms.cfg  options, you  can  use  this 
option  as  many  times  as  is  appropriate  for  your  environment. 

For  domain  names,  prefixing  a  *  wild  card  is  allowed.  For  example,  Tadobe.com  would  allow  block  all 
Flash  content  hosted  on  www.adobe.com, get.adobe.com,  helpx.adobe.com,  etc.  Wild  cards  are  not 
allowed  when  specifying  IP  addresses. 

Whitelists  and  blacklists  can  be  used  in  conjunction  with  each  other.  For  example,  enterprises  wishing  to 
minimize  Flash  usage  to  only  their  company  sub-domains  can  add  the  following  to  their  user's  MMS.CFG: 

EnablelECIickToPlay  =  1 
IEClickToPlayBlocked  =  * 

IEClickToPlayBypass  =  * . myenterprise . com 

These  two  entries  would  disable  all  Flash  playback  except  for  that  on  any  sub-domain  of  myenter¬ 
prise. com,  which  would  run  without  any  user  intervention. 


EnablelECIickToPlay 


EnablelECIickToPlay  =  [  0,  1  ]  (0  =  false,  1  =  true) 

Beginning  with  Flash  Player  27,  administrators  now  have  the  ability  to  change  Flash  Player's  behavior 
when  running  on  Internet  Explorer  on  Windows  7  and  below  by  prompting  the  user  before  playing  SWF 
content. 

Once  enabled,  visible  Flash  Content  within  the  page  will  be  displayed  with  a  “Play”  button.  When  this 
play  button  is  clicked,  content  playback  will  start  immediately. 

Please  note,  that  due  to  different  methods  used  to  instantiate  Flash,  clicking  the  play  button  may  occa¬ 
sionally  fail.  If  this  occurs,  we  recommend  that  administrators  white  list  approved  domains  or  URLs  to 
allow  content  to  function  properly.  See  IEClickToPlayBypass^  more  details. 


IEClickToPlayBypass 


IEClickToPlayBypass  =  domain  name  or  IP  address 
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This  option  is  effective  only  when  Enablel  EClickToPlay  has  a  value  of  1 ;  it  creates  a  whitelist  of  servers  to 
whichallFlashcontenthostedontheserverwillplaybackimmediately,andwithoutuserintervention. 
Unlike  most  other  mms.cfg  options,  you  can  use  this  option  as  many  times  as  is  appropriate  for  your  envi¬ 
ronment. 

For  domain  names,  prefixing  a  *  wild  card  is  allowed.  For  example,  *. adobe. com  would  allow  all  Flash 
content  to  run  on  www.adobe.com, get.adobe.com,  helpx.adobe.com,  and  so  on.  Wild  cards  are  not 
allowed  when  specifying  IP  addresses. 

Whitelists  and  blacklists  can  be  used  in  conjunction  with  each  other.  For  example,  enterprises  wishing  to 
minimize  Flash  usage  to  only  their  company  sub-domains  can  add  the  following  to  their  user's  MMS.CFG: 

EnablelEClickToPlay  =  1 
IEClickToPlayBlocked  =  * 

IEClickToPlayBypass  =  * . myenterprise . com 

These  two  entries  would  disable  all  Flash  playback  except  for  that  on  any  sub-domain  of  myenter¬ 
prise. com,  which  would  run  without  any  user  intervention. 


EventJitterMicroseconds 

EventJitterMicroseconds  =  0 
(0  =  disabled;  entry  not  present  =  enabled) 

Availability:  Flash  Player  30.0.0.1 13 

Setting  this  value  to  0  disables  an  important  mitigation  for  Spectre  and  Meltdown  (CVE-201 7-5753, 
CVE-201 7-57 1 5,  CVE-201 7-5754)  style  attacks,  but  may  improve  application  performance  in  some 
limited  circumstances.  To  enable  the  setting,  delete  the  entry  from  the  mms.cfg  file. 


TimerJitterMicroseconds 

Timer JitterMicroseconds  =  0 

(0  =  disabled;  entry  not  present  =  enabled) 

Availability:  Flash  Player  30.0.0.1 13 

Setting  this  value  to  0  disables  an  important  mitigation  for  Spectre  and  Meltdown  (CVE-201 7-5753, 
CVE-201 7-57 1 5,  CVE-201 7-5754)  style  attacks,  but  may  improve  application  performance  in  some 
limited  circumstances.  To  enable  the  setting,  delete  the  entry  from  the  mms.cfg  file. 


InsecureJitterDisabledDomain 


Insecure JitterDisabledDomain  =  domain  name  or  IP  address 

Adding  domains  to  this  whitelist  disables  important  mitigations  for  Spectre  and  Meltdown 
(CVE-201 7-5753,  CVE-201 7-5715,  CVE-201 7-5754)  style  attacks,  but  may  improve  application  perfor¬ 
mance  in  some  limited  circumstances.  To  re-enable  the  setting,  delete  the  entries  from  the  mms.cfg  file. 
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For  domain  names,  prefixing  a  *  wildcard  is  allowed.  For  example,  *. adobe. com  would  disable  jitter  miti- 
gationson  www. adobe. com,  get.adobe.com,  and  helpx.adobe.com,  andsoon.Wildcardsare  not 
allowed  when  specifying  IP  addresses. 

For  example,  the  following  settings  would  disable  timer  and  eventjitterattest.mydomain.com  and 
10.1.1.10: 

Insecure Jit terDisabledDomain=test . mydomain . comlnsecure JitterDisabledDoma 
in=10 . 1.1.10 
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The  Global  FlashPlayerTrustdirectory 

Application  installers  can  specify  that  certain  filesor  directoriesof  filesthatare  stored  on  the  user’s 
computer  should  be  trusted  for  all  users,  and  be  placed  in  a  local-trusted  sandbox.  (For  a  discussion  of 
sandboxes,  see  Securitysandboxesforlocalcontent.)  If  you  are  deploying  applications  with  content  that 
should  be  trusted  forall  users  on  acomputer,  you  can  place  trust  information  forthatapplication  in  a 
directory  that  you  specify  as  a  trusted  directory.  Because  information  in  this  directory  applies  to  all  users, 
the  directory  requires  administrative  access. 

Thisdirectory  is  named  FlashPlayerTrust,  and  is  called  the  Global  FlashPlayerTrust  directory.  It  is  located 
alongsidethedirectory  that  containsthe  mms.cfgfile  (see  mms.cfg  file  location). For  example, \t\he 
mms.cfg  file  is  in  C:\Windows\Systern32\Macromed\Flash,  the  location  of  the  Global  FlashPlayerT  rust 
directory  isC:\Windows\System32\Macromed\FlashPlayerTrust.  (For  information  on  specifying  content 
as  trusted  only  for  the  current  user,  see  ThellserFlashPlayerTrustdirectory.) 

The  Global  FlashPlayerTrust  directory  can  contain  any  number  of  trust  configuration  files.  At  startup, 
Flash  Player  reads  all  files  in  this  directory.  The  names  of  these  files  are  unimportant;  you  can  choose  any 
filenames  you  want  for  your  trust  configuration  files.  Generally,  each  file  contains  information  on  a  single 
application,  but  you  can  put  information  on  several  applications  in  a  single  file  if  you  prefer.  The  config¬ 
uration  file  is  atextfile;  each  line  contains  the  name  of  afile  or  directory,  to  be  trusted.  If  you  specify  a 
directory,  all  files  at  or  below  that  directory  level  are  trusted. 


55 


Chapter  4 


The  Global  FlashPlayerTrust directory 
Administration 


Create  a  configuration  file  to  trust  a  file  or  directory 

1 )  Create  a  new  file  in  the  Global  FlashPlayerT rust  directory  using  a  text  editor,  and  save  it  with  a 
unique  name. 

Choose  a  name  for  your  trust  configuration  file  that  is  unlikely  to  collide  with  the  names  of  any  other 
trust  configuration  files  that  might  be  installed.  One  good  way  to  do  this  is  to  name  the  file  after  the 
particular  product  you  are  trusting.  For  example,  if  you  are  trusting  an  employee  vacation  applica¬ 
tion,  you  might  call  the  trust  configuration  file  EmployeeVacation.cfg. 

2)  Type  or  paste  each  directory  path  (any  directory  path  on  the  user’s  hard  disk)  or  file  name  on  a  new 
line  inthefile.  Youcan  paste  multiple  directory  pathsonseparatelines.Whenyoufinish,yourfile 
might  look  similar  to  the  following: 

#  Trust  all  files  in  the  Employee  online  calendar  app 
C: \Program  Files\Personnel\Employees\OnlineCalendar 

#  Trust  the  file  that  checks  remaining  vacation  days  for  an  employee 
C: \Program  Files\Personnel\Employees\VacationDaysRemaining. swf 

In  this  example,  the  SWF  file  is  notin  the  same  directory  as  the  online  calendar  app,  so  it  must  be 
trusted  separately. 

3)  Save  your  changes. 

4)  To  testwhetherthe  files  have  been  trusted  correctly,  you  can  do  one  of  the  following: 

Run  the  SWF  file  named  in  the  configuration  file. 

Create  a  SWF  file  in  the  trusted  directory  that  displays  the  value  returned  by  the  ActionScript 
API  Sy  stem. security. sandboxType  (ActionScript  1 .0  or  2.0)  or 
Security .  sandboxType  (ActionScript  3.0).  Run  the  SWF  file  in  a  browser,  not  through  the 
use  of  the  Test  Movie  command  in  Flash.  (When  SWFfiles  run  via  Test  Movie,  local  security  is 
not  implemented.)  The  value  should  be  "  locaiTrusted" . 
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User-configured  settings 


End  users  can  set  a  variety  of  options  for  managing  privacy  and  security  settings  when  running  Adobe 
Flash  Player  on  their  computers. 


Accessing  user  settings 

Flash  Player  lets  users  make  a  number  of  decisions  regarding  privacy,  local  storage,  and  so  on.  These 
settings  are  available  to  the  user  in  three  primary  ways: 

•  Pop-up  dialogs  that  appear  when  Flash  Player  tries  to  perform  an  activity  that  requires  user 
consent,  such  as  accessing  a  camera  or  saving  data  to  disk. 

•  A  tabbed  set  of  dialogs  that  the  user  can  display  by  right-clicking  (command-clicking  on  the  Macin¬ 
tosh)  and  choosing  Settings  from  the  context  menu. 

•  The  Flash  PlayerSettingsManager,whichtheusercandisplay  by  right-clicking  (command-clicking 
on  the  Macintosh)  and  choosing  Global  Settings  from  the  context  menu. 

Users  can  also  display  the  Flash  Player  Settings  Manager  from  their  OS-specific  native  settings  utility,  as 
follows: 

•  Macintosh:  System  Preferences  >  Flash  Player 

•  Windows: 

XP:  Control  Panel  >  Flash  Player 

Vista:  Control  Panel  >  Classic  View  >  Flash  Player 

Windows  7  and  above:  Control  Panel\AII  Control  Panel  Items  >  Flash  Player 

•  Linux:  Although  this  varies  slightly  between  distros,  it  is  usually  Settings  >  Preferences  >  Flash 
Player 

In  many  cases,  you  can  use  the  mms.cfg  file  to  override  user-specified  settings,  and  implement  more 
stringent  or  more  accessible  settings.  For  more  information,  see  Administration. 

note:  If  you  use  the  mms.cfg  file  to  override  usersettings,  the  mms.cfg  settingsare  unavailable  or 
disabledtotheend  user.  Forexample,  when  AutoUpdate  isdisabledviamms.cfg  (AutoUpdateDis- 
able=1),  the  CheckforUpdatessection  in  the  Settings  Managerisdisabied.lfyouthinkthismightbe 
confusingforyourusers,youmightwanttoletthemknowthatcertainsettingsareunavailabletothem. 

Much  ofthe  information  in  thissectionisexcerptedfromtheonlineHelpfor  Flash  Playersettings.The 
Help  is  geared  towards  end  users,  and  provide  additional  explanatory  information  that  might  help  you  or 
your  users  more  fully  understand  certain  options  that  are  available.  The  home  page  for  Flash  Player  help 

iswww.adobe.com/go/player_help_en. 

note:  In  the  following  sections,  screen  shots  are  provided  to  illustrate  the  pop-up  dialog  boxes  and  the 
tabbed  Settings  Panels.  For  Settings  Manager  pages,  links  are  provided  instead  of  screen  shots,  so  you 
can  navigate  to  that  page  and  see  the  actual  Settings  Manager  online. 
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Privacy  options 

Privacy  options  let  the  user  specify  whether  an  application  can  have  access  to  the  camera  or  microphone. 
Users  specify  these  options  in  one  of  several  ways,  summarized  below.  You  can  use  th  eAVHardwareDis- 
able  option  in  the  mms.cfg  file  to  override  user  privacy  settings. 

•  The  first  time  a  site  tries  to  access  the  camera  or  microphone,  a  pop-up  dialog  appears.  This  dialog 
lets  the  user  specify  a  one-time  preference  to  allow  or  deny  access. 

•  The  Privacy  tab  lets  the  user  allow  or  deny  access  to  the  camera  and  microphone  for  all  applications 
from  the  current  website  without  asking  for  permission  each  time. 

•  TheWebsitePrivacySettingsPanelatwww.adobe.com/go/website_privacy_settingsletstheuser 
specify  settings  for  any  of  the  web  sites  that  have  already  requested  permission  to  use  the  camera 
or  microphone. 

•  The  Global  Privacy  Settings  Panel  atwww.adobe.com/go/global_privacy_settings  lets  the  user 
reset  privacy  options  for  all  web  sites. 

Local  storage  options 

Local  storage  optionsletthe  userspecify  whetheran  application  can  place  asharedobjecton  their 
computer,  and  the  maximum  size  that  object  can  attain.  Applications  use  shared  objects  to  store  data 
such  as  user  names,  game  scores,  shopping  preferences,  and  soon.  Users  specify  these  options  in  oneof 
several  ways,  summarized  below.  You  can  use  a  number  of  options  in  the  mms.cfg  file  to  override  user 
local  storage  settings;  see  Data  loading  and  storage  options. 

•  The  first  time  a  site  tries  to  store  information  on  the  user’s  computer,  a  pop-up  dialog  appears.  This 
dialog  lets  the  user  specify  a  one-time  preference  to  allow  or  deny  access. 

•  The  Local  Storage  tab  lets  the  user  allow  or  deny  access  for  local  storage  for  all  applications  from 
the  current  website  without  asking  for  permission  each  time. 

•  The  Website  Storage  Settings  Panel  at  www.adobe.com/go/website_storage_settings  lets  the  user 
specify  storage  settings  for  any  of  the  web  sites  that  have  already  requested  permission  to  store 
data  locally. 

•  TheGlobalStorageSettingsPanelatwww.adobe.com/go/global_storage_settingsletstheuser 
specify  storage  settings  for  any  web  sites  that  have  not  yet  requested  permission  to  store  data 
locally.  This  panel  also  lets  the  user  choose  whether  to  store  data  for  a  third-party  local  shared 
objects  (objects  being  stored  by  a  website  whose  originating  domain  does  not  match  the  URL 
displayed  in  the  browser  window)  and  whether  to  store  common  Flash  components  to  reduce 
download  times. 

Update  options 

Update  options  let  the  user  specify  whether  Flash  Player  should  display  a  notification  when  a  new  version 
is  available,  and  how  frequently  to  check  for  new  versions.  When  installing  the  player  on  Windows  and 
Mac,  the  user  selects  which  option  they  want: 
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•  Allow  Adobe  to  install  updates  (recommended) 

•  Notify  me  to  install  updates 

•  Never  check  for  updates  (not  recommended) 

For  Linux  systems,  users  are  automatically  configured  for  notification  updates.  Usethe  Settings  Manager 
or  the  mms.cfg  file  to  change  this  setting. 

You  can  use  the  AutoUpdateDisable  and  AutoUpdatelnterval settings  in  the  mms.cfg  file  to  prevent  the 
user  from  choosing  auto-update,  or  to  override  the  frequency  of  checking  for  new  versions. 

Note  that  any  user  can  disable  a  notification  update.  However,  background  updates  cannot  be  disabled. 
For  more  information  on  background  updates,  see  the  silentAutoUpdateEnabie  option  in  Update 
options. 

Usethe  Local  Settings  Managertospecify  auto-update  settings.  On  Microsoft  Windows,  access  the  Local 
Settings  Manager  from  the  Control  Panel.  On  a  Mac,  access  itthrough  the  System  Preference.  For  Linux, 
access  itby  right-clicking  on  Flash  contentand  selecting  Global  Settingsfrom  the  context  menu. 

For  more  information  on  the  Local  Settings  Manager,  see  http://www.adobe.com/go/global_privacy_- 
settings. 


Security  options 

This  section  describes  the  security  options  available  to  end-users.  For  more  information  on  Flash  Player 
security  in  general,  see  Security  considerations  You  can  use  a  number  of  options  in  the  mms.cfg  file  to 
override  user  security  options;  see  Security  options. 

End  users  should  rarely  need  to  intervene  in  Flash  Playersecurity  decisions.  However,  becausethe  Flash 
security  model  evolves  overtime,  occasionally  Flash  Playerencountersa  situation  in  which  Flash  content 
attempts  to  perform  an  operation  thatwas  permitted  in  a  previous  version  of  Flash  Player,  but  is  no 
longer  permitted  by  default.  In  these  situations,  it  is  impossible  for  Flash  Player  to  tell  whether  the  Flash 
content  in  question  is  legitimate  older  content  that  was  authored  before  the  change  in  rules,  or  malicious 
content  that  is  attempting  to  breakthe  newer  rules.  Flash  Player  handles  these  situations  conservatively, 
guiding  users  toward  secure  choices,  but  offering  users  the  ability  to  restore  functionality  of  older 
content  that  has  been  inadvertently  affected. 

When  Flash  content  attempts  to  use  olderdomain  matching  rules,  Flash  Player  presentsa  Security  dialog 
box: 


Users  may  interactively  allow  or  prevent  the  attempted  operation.  If  they  choose  “Never  ask  again”,  their 
allowor  deny  choice  is  remembered  and  usedforall  future  instances  where  this  dialog  would  be 
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presented.  Users  can  latersee  orchange  their  remembered  choice  in  the  Settings  Managerat 
www.adobe.com/go/global_security_settings.Theirrememberedchoiceisshownthere  as  “Always 
ask”,  “Always  allow”,  or  “Always  deny”. 

When  Flash  content  attempts  to  use  older  local  security  rules,  Flash  Player  presents  a  different  dialog 
box: 


This  dialog  box  is  only  a  failure  notification  -  it  does  not  provide  an  interactive  allow  option.  However,  the 

Settings  button  in  thisdialog  box  brings  userstothesame  Settings  Manager  linkgiven  above.  In  the 

Settings  Manager,  users  can  affect  local  security  rules  in  two  ways: 

•  The  “Always  ask”,  “Always  allow”,  or  “Always  deny”  choice  affects  not  only  domain  matching,  as 
previously  mentioned;  it  also  governs  Flash  Player's  behavior  when  content  attempts  to  use  older 
local  security  rules.  However,  the  Ask/Allow/Deny  choice  affects  only  content  that  is  apparently 
older;  that  is,  content  that  specifies  an  older  version  number. 

•  Users  can  add  local  file  system  paths  that  are  to  be  placed  in  the  local-trusted  sandbox  (see  Security 
sandboxes  for  local  content).  This  enables  finer-grained  control  than  the  Ask/Allow/Deny  choice, 
and  also  worksfor  Flash  contentofany  version.  Only  local  paths  have  any  effect  in  this  list;  Web 
domains  and  URLs  have  no  effect,  as  remote  content  may  never  be  placed  in  alocal  sandbox.  Also, 
this  list,  unlike  the  Ask/Allow/Deny  choice,  affects  only  local  security  rules,  not  domain  matching 
rules. 

Flash  Player  administrators  can  use  several  options  in  the  mms.cfg  configuration  file  to  restrict  users' 

ability  to  make  these  security  choices. 

•  The  LegacyDomainMatching  and  Local FileLegacy Action  options  control  Flash  Player's  behavior  in 
the  situations  where,  respectively,  the  domain  matching  or  local  security  dialogs  would  be 
displayed.  There  is  only  a  single  user  control  (Ask/Allow/Deny)  for  both  of  these  situations,  but  you 
can  specify  different  options  for  each  of  them  using  these  two  mms.cfg  options. 

•  The  AllowUserLocalT rust  option  controls  users'  ability  to  add  individual  paths  to  the  local-trusted 
sandbox. 

For  more  information  on  these  options,  see  Security  options  in  Administration. 


Display  options 

Display  options  let  the  user  specify  whether  to  enable  hardware  acceleration. 
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The  User  FlashPlayerTrustdirectory 

Application  installersorend  users  can  specify  that  certainfilesordirectoriesoffilesthatare  storedon 
the  user’s  computer  should  be  trusted ,  and  be  placed  in  the  user’s  local-trusted  sandbox.  (For  a  discus¬ 
sion  of  sandboxes,  see  Security  sandboxes  for  local  content.)  Information  on  these  trusted  files  is  stored 
in  a  directory  called  the  User  FlashPlayerT rust  directory.  This  directory  registers  files  or  directories  as 
trusted  onlyforthe  current  user.  (For  information  on  registering  files  astrustedforall  users,  see  7?e 
Global  FlashPlayerTrustdirectory.)  You  can  specify  whether  users  can  permit  applications  to  be  trusted; 
see  Security  options. 

Information  about  trusted  files  can  be  placed  in  this  directory  in  two  ways: 

•  An  administrator  or  end-user  can  create  a  config  file  and  store  it  in  the  User  FlashPlayerT  rust  direc¬ 
tory. 

•  A  user  without  administrative  rights  can  install  an  application  that  registers  itself  as  locally  trusted. 
The  User  FlashPlayerTrust  directory  is  located  in  the  following  location: 

Windows  Vista 

C:\Users\username\AppData\Roaming\Macromedia\Flash  Player\#Security\FlashPlayerT rust 

Windows  2000  and  Windows  XP 

C:\Documents  and  Settings\username\Application  Data\Macromedia\Flash  Player\#Secu- 
rity\FlashPlayerTrust 

Macintosh 

/Users/username/Library/Preferences/Macromedia/Flash  Player/#Security/FlashPlayerT rust 

Linux 

GNU-Linux  ~/.macromedia/#Security/FlashPlayerTrust 

For  information  on  how  to  create  and  format  these  configuration  files,  see  The  Global  FlashPlayerTrust 
directory. 
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Security  considerations 


Clearly,  it  is  critical  to  maintain  the  security  and  integrity  of  your  users’  computers  when  you  install 
Adobe  Flash  Player.  This  section  provides  an  overviewof  security,  focusing  on  those  aspects  of  particular 
interest  to  administrators  deploying  Flash  Player.  Adobe  has  developed  a  number  of  web  pages,  white 
papers,  chapters  in  other  books,  and  tech  notes  that  address  these  security  issues,  as  well  as  others,  in 
more  detail.  For  a  list  of  these  resources,  see  Additional  security  resources. 


Security  overview 

As  a  computer  system  administrator,  one  of  your  primary  responsibilities  is  to  ensure  the  security  and 
integrity  of  the  data  on  the  systems  you  manage.  Adobe  addresses  Flash  Player  security  in  a  number  of 
ways,  ranging  from  settings  users  can  control  individually  to  files  that  must  be  placed  on  servers  to  allow 
advanced  applications  to  pass  information  between  different  domains. 

Because  of  security  issues  that  arise  with  relation  to  Internet  access,  Adobe  (and  formerly  Macromedia) 
has  implemented  more  stringent  security  measures  with  each  release  of  Flash  Player.  Through  improve¬ 
ments  in  the  security  model,  Flash  Player  1 0  by  default  provides  much  stricter  limitations  on  potentially 
maliciousactivitiesthanearlierversions  of  Flash  Player.  (In  fact,  someof  these  improvements  can 
require  you,  application  authors,  orend  users  to  specifically  permit  actions  thatwere  permitted  by 
default  in  earlier  players;  see  About  compatibility  with  previous  Flash  Player  security  models.)  Addition¬ 
ally,  you  can  control  a  number  of  security-related  settings  through  the  use  of  a  config  file  that  you  deploy 
on  a  user’s  system  when  you  deploy  the  player. 

Depending  on  how  security  settings  are  permitted  or  prohibited  by  the  application  author,  the  end  user, 
or  you  (the  administrator),  Flash  Player  may  or  may  not  be  able  to  download  files  to  the  local  disk,  upload 
files  from  the  disk,  write  shared  objects  to  disk  (sometimes  referred  to  as  “Flash  cookies”),  access  and 
run  other  SWF  files  on  the  local  disk,  or  communicate  between  the  local  disk  and  the  Internet. 

In  addition,  there  are  certain  activities  that  Flash  Player  can  never  perform,  such  as  reading  the  path  of 
a  local  file.  For  example,  even  if  an  application  (SWF  file)  tries  to  upload  or  download  a  file,  the  applica¬ 
tion  can’tsetthedefaultfilelocation  forthe  file  ;the  defaultlocation  shown  in  the  dialog  boxisthe  most 
recently  browsed  folder,  ifthatlocation  can  be  determined,  orthedesktop.  Also,  the  application  can’t 
read  from  orwritetothetransferredfile.  In  fact,  the  SWFfilethatinitiated  the  upload  ordownload  can’t 
access  the  uploaded  or  downloaded  file  or  even  the  file's  location  on  the  user's  disk.  Another  example  is 
that  a  SWF  file  can  never  determine  the  contents  of  a  local  directory. 

With  regard  to  ensuring  security  of  users’  computers,  the  areas  of  primary  interest  to  administrators  are 
the  following: 

•  Flow  Flash  uses  security  sandboxes  to  determine  whether  and  how  a  SWF  file  on  the  local  disk  can 
communicate  with  SWFfilesonthe  network  (see  Security  sandboxes  for  local  content) 

•  Flow  users  can  interactively  allow  or  prohibit  certain  potentially  malicious  activities  (see 

User-configured  settings) 

•  Flow  you  can  deploy  a  configuration  file  to  override  choices  users  might  make  with  regards  to  secu¬ 
rity  and  privacy  issues  (see  Administration) 
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The  area  of  cross-domain  security  might  also  be  of  interest,  although  it  is  usually  addressed  by  applica¬ 
tion  authors.  However,  authorsofapplicationsyouplantodeploymightrequestthatyouimplementa 
server-side  policy  file,  for  example,  to  permit  certain  types  of  cross-domain  file  access.  For  more  infor¬ 
mation,  see  Data  loading  through  different  domains. 

note:  Users  who  are  working  in  the  Flash  authoring  environment  to  create  applications  have  access  to  a 
number  of  ways  to  implement  certain  security  features.  These  techniques  are  described  in  the  documen¬ 
tation  that  accompanies  the  authoring  tool,  and  are  not  discussed  in  this  document.  If  some  of  your  users 
are  developing  Flash  content,  ensure  that  security  measures  that  you  implement  are  compatible  with  the 
features  of  the  applications  they  are  developing,  and  vice  versa. 

Security  sandboxes  for  local  content 

Client  computers  can  obtain  individual  SWFfilesfromanumber  of  sources,  such  as  by  downloading  them 
from  external  web  sites  or  by  copying  them  from  a  network  server.  Flash  Player  individually  assigns  local 
SWFfiles  (those  stored  on  theend-user’scomputer)  and  other  resources,  such  as  shared  objects, 
bitmaps,  sounds,  videos,  and  datafiles,  to  security  sandboxes  based  on  their  origin  when  they  are  loaded 
into  Flash  Player. 

Interaction  between  files  in  differentsandboxes  islimited;  these  limitations  prevent  SWFfilesfrom 
performing  operations  that  could  introduce  security  breaches.  Restricting  how  a  file  can  interact  with  the 
local  file  system  orthe  network  helps  keep  users’ computers  and  files  safe.  Bydefault,  local  SWFfiles  can 
communicate  within  the  local  file  system  or  with  the  Internet,  but  not  both. 

note:  The  restrictions  that  are  discussed  in  this  section  do  not  affect  SWF  files  that  are  served  from  a  web 
site  on  the  Internet. 

Local  SWF  files  can  have  the  following  levels  of  permission: 

Access  the  local  file  system  only  (default) 

A  local  SWFfile  can  read  from  the  local  file  system  and  universal  naming  convention  (UNC)  network 
paths  but  cannot  communicate  with  the  Internet.  These  files  are  placed  into  the 
local-with-filesystem  sandbox. 

Access  the  network  only 

A  Flash  author  can  specify  that  a  SWF  file  be  able  to  communicate  between  the  local  system  and 
the  network,  but  not  have  access  to  the  local  file  system  where  it  is  installed.  These  files  are  placed 
into  the  local-with-networking  sandbox. 

Access  to  the  local  file  system  and  the  network 

SWFapplication  installers,  end  users,  and  administrators  can  specify  thatalocal  SWFfile  (or 
multipleSWFfiles)beableto  readfromthelocalfilesystemwhereitisinstalled,readandwriteto 
andfromservers,andcross-scriptotherSWFfilesoneitherthenetworkorthe  local  filesystem. 
These  files  are  called  trusted,  and  are  placed  into  the  local-trusted  sandbox. 

Each  of  these  sandboxes  is  discussed  in  more  detail  in  the  following  sections,  and  in  even  greater  detail 
in  white  papersand  other  documentsthatare  available  online;  see  Additional  security  resources. 
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AFIash  authorcan  use  the  APIsystem.  security.  sandboxType  (ActionScript  1 .0  or2.0)  or 
Security .  sandboxType  (ActionScript  3.0)  to  determine  the  sandbox  in  which  a  SWF  file  is  placed. 
This  API  mustbe  used  whilethe  SWFfile  isplaying  in  abrowser,notthrough  the  use  ofthe  Test  Movie 
command  in  Flash.  When  SWF  files  run  via  Test  Movie,  local  security  is  not  implemented. 

The  local-with-file-system  sandbox 

By  default,  Flash  Player  places  all  local  SWF  files,  including  all  legacy  local  SWF  files  (earlier  than  Flash 
Player  8),  in  the  local-with-file-system  sandbox.  For  some  legacy  SWFfiles,  operations  could  be  affected 
by  prohibiting  outside  network  access,  but  this  default  provides  the  most  secure  implementation.  (For 
more  information  on  potential  issues  with  legacy  SWF  files,  see  About  compatibility  with  previous  Flash 
Player  security  models.) 

From  this  sandbox,  SWF  files  may  read  from  files  on  local  file  systems  or  a  UNC  network  path,  but  they 
may  not  communicate  with  the  networkin  any  way.  This  assuresthe  userthat  local  data  cannot  be 
leaked  out  to  the  network  or  otherwise  inappropriately  shared. 

The  local-with-networking  sandbox 

When  a  Flash  authorspecifiesthatlocalSWFfilesshouldbeassigned  to  the  local-with-networking 
sandbox,  the  SWF  files  are  allowed  to  accessthe  network  butforfeittheir  local  file  system  access. 
However,  a  local-with-networking  SWF  file  still  is  not  allowed  to  read  any  network-derived  data  unless 
permissions  are  present  for  that  action.  That  is,  a  local-with-networking  SWF  file  has  no  local  access,  yet 
it  has  the  ability  to  transmit  data  over  the  network  and  can  read  network  data  from  those  sites  that  desig¬ 
nate  site-specific  access  permissions. 

The  local-trusted  sandbox 

Asitsnameimplies,placingfilesinthissandboxindicatesthattheycanbetrustednotto  perform  any 
malicious  activities  that  would  compromise  the  security  of  the  local  system  or  of  the  network.  SWF  files 
assigned  to  the  local-trusted  sandbox  can  interact  with  any  other  SWFfiles,  and  load  datafrom  anywhere 
(remote  or  local).  Files  (or  entire  directories)  can  be  registered  as  trusted  in  a  number  of  ways. 

•  An  end  user  can  respond  to  a  pop-up  dialog  box  or  use  the  Flash  Player  Settings  Manager  to  specify 
thataSWFfileorsetoffilesshouldbetrustedforthatuser.  For  information  on  settings  available 
to  end-users,  see  User-configured  settings.  For  information  on  how  to  control  the  end-users’  ability 
to  specify  trusted  files,  see  AllowUserLocalTrust. 

•  An  administrator,  an  installer  program,  or  an  end-user  can  create  configuration  files  and  place  them 
directly  in  the  appropriate  directories.  The  configuration  files  are  placed  in  adirectory  named  Flash- 
PlayerTrust  on  the  user’s  computer,  in  one  of  two  locations.  One  location  requires  administrative 
access  and  applies  to  all  users  on  acomputer;  see  The  Global FlashPlayerTrustdirectory.  The  other 
location  doesn’t  require  administrative  access  and  applies  only  to  the  current  user;  see  The  User 
FlashPlayerTrust  directory. 

When  an  installer  installs  local  SWFfiles  and  HTML  files,  those  files  should  be  trusted,  because  the 
user  consented  to  run  an  installer  executable  to  create  them.  Likewise,  when  an  installer  installs  an 
application  that  plays  local  SWFfiles  byembedding  a  Flash  Player,  the  application  should  be  able  to 
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play  local  SWF  files  in  a  trusted  mode,  even  if  the  embedded  Flash  Player  would  normally  enforce 
local  security.  End  users  should  exercise  the  same  caution  installing  Flash  applications  as  they  would 
when  installing  any  other  applications  on  their  computer. 


About  compatibilitywith  previous  Flash  Player  security  models 

As  a  result  of  the  security  feature  changes  over  Flash  Player’s  history,  content  that  runs  as  expected  in 
one  Playerversion  might  not  run  as  expected  in  later  versions.  In  these  cases,  you  (and  end-users)  can 
specify  security  settings  that  are  less  stringent  than  the  Flash  Player  default  settings.  In  other  words,  you 
can  choose  to  run  certain  content  in  a  less  secure  environment. 

For  example,  local  SWF  files  can’t  communicate  with  the  Internet  without  a  specific  configuration  on  the 
user’s  computer.  Suppose  you  have  legacy  content  that  was  published  before  these  restrictions  were  in 
effect.  Ifthat contenttriestocommunicatewith the networkorlocal filesystem, orboth,  Flash  Player 
stops  the  operation.  By  default,  a  Security  pop-up  question  appears,  and  the  user  must  explicitly  provide 
permission  for  the  application  to  work  properly. 

To  prevent  usersfrom  having  to  provide  permission  explicitly,  Flash  providesa  number  of  options. 

•  An  end-user  can  use  the  Global  Security  Settings  Panel  at  www.adobe.com/go/global_security_set- 
tings  to  specify  that  a  file  or  set  of  files  should  be  trusted. 

•  An  end-user,  or  an  installer  program  run  without  administrative  access,  can  place  a  local  configura¬ 
tion  file  on  the  user’s  machine  to  specify  thatafileorset  of  files  should  be  trusted  (see  T he  User 
FlashPlayerTrust  directory). 

•  You,  or  an  installer  program  run  with  administrative  access,  can  place  a  global  configuration  file  on 
the  user’s  machine  to  specify  that  a  file  or  set  of  files  should  be  trusted  (see  r he  Global  FlashPlay¬ 
erTrust  directory). 

•  Youcansetanoptioninaconfigurationfi!eyoudeploytousers’machines,themms.cfgfile,to 
always  allowor  always  deny  such  access  (see  Security  optionsm  Administration). 

•  You  can  run  a  free,  command-line  utility  called  the  Local  Content  Updater  on  the  legacy  SWF  files. 
The  Local  Content  Updater  lets  you  change  the  security  sandbox  that  the  SWFfile  operates  in  when 
it  is  played  as  a  local  file  in  Flash  Players  and  above.  It  can  add,  remove,  or  check  for 
local-with-networking  privileges,  operating  on  one  or  many  SWF  files.  For  more  information  orto 
download  the  utility,  see  Local  Content  Updater  at  www.adobe.com/support/flashplayer/down- 
loads.html#lcu. 


Data  loading  through  different  domains 

To  make  data  from  a  Webserver  available  to  SWFfiles  from  other  domains,  you  may  be  asked  by  a  Flash 
author  to  create  a  policy  file  on  your  server.  Policy  files  are  XM  L  files  placed  in  a  specific  location  on  your 
server. 

Policy  files  affect  access  to  a  number  of  assets,  including  the  following: 

•  Data  in  bitmaps,  sounds,  and  videos 

•  Loading  XML  and  text  files 
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•  Importing  SWFfilesfromothersecurity  domains  into  the  security  domain  ofthe  loading  SWFfile 

•  Access  to  socket  and  XML  socket  connections 

There  are  two  types  of  policy  files — URL  policy  files  and  socket  policy  files. 

•  URL  policy  files  provide  a  way  for  the  server  to  indicate  that  its  data  and  documents  are  available 
to  SWF  files  served  from  certain  domains  or  from  all  domains. 

•  Socket  policy  files  enable  networking  directly  at  the  lower  TCP  socket  level,  using  the  Socket  and 
XMLSocket  classes. 

Requirements  for  implementing  policy  files  are  more  strict  in  Flash  Player  1 0  than  in  earlier  versions  of 
Flash  Player.  For  more  information,  see  the  Flash  Player  Developer  Center  at 

www.adobe.com/devnet/flashplayer,  aswell  as  the  information  listed  be\o\N\r\  Additional  security 
resources. 


Additional  security  resources 

For  quick  reference,  the  following  list  summarizes  various  web  pages  and  documents  related  to  security, 
many  of  which  are  mentioned  elsewhere  in  this  chapter  or  in  other  chapters  in  this  book. 

•  Flash  PlayerSecurity  and  Privacy(www. adobe.com/products/flashplayer/security/). Thisdocu- 
ment  provides  an  overview  of  how  Flash  Player  maintains  users’  privacy. 

•  Security  Topic  Center  (www. adobe. com/devnet/security/).Thisdocument  provides  information  on 
security  and  links  to  a  number  of  other  resources. 

•  Flash  Player  Developer  Center  (www.adobe.com/devnet/flashplayer).  This  site  provides  links  to  a 
number  of  security-related  documents  geared  for  developers. 

•  Flash  Player  9  Security  white  paper  (www.adobe.com/devnet/flashplayer/articles/flash_play- 

er9_security_wp.html).ThisdocumentfocusesonhowFlashPlayer9.0.124.0addressesanumber 
of  issues  relatedtosecu  rity,  including  features  previously  introduced  in  earlierversionsofthe 
product. 

•  Security  changes  in  Flash  Player  10  (http://www.adobe.com/devnet/flashplayer/articles/fplay- 
erl  0_security_changes.htm I). 

•  Flash  Player  Help  for  user  setting  panels  (www.adobe.com/go/player_help_en).  These  pages 
explain  security  settings  users  can  specify  using  the  Settings  Manager,  settings  dialog  boxes,  and 
questions  that  might  pop  up  while  a  SWF  is  running. 

•  “How  do  I  let  local  Flash  content  communicate  with  the  lnternet?”(www. adobe. com/go/4c093f20). 
This  document  describes  the  security  issues  involved  in  allowing  (or  preventing)  local  SWF  files 
from  accessing  the  Internet. 

•  The  Flash  Player  Local  Content  Updater  (www.adobe.com/support/flashplayer/down- 

loads.html#lcu)  lets  you  change  the  security  sandbox  in  which  SWF  files  written  for  Flash  Player  7 
and  earlier  operate. 

•  ActionScript  2.0  and  Security  (see  the  “Understanding  Security”  chapter  in  Learning  ActionScript 
2.0  in  Adobe  Flash). 
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